CVE-2023-43274 - Breaking Down a SQL Injection Vulnerability in PHPjabbers PHP Shopping Cart 4.2

In September 2023, a critical security vulnerability, identified as CVE-2023-43274, was disclosed for the PHPjabbers PHP Shopping Cart version 4.2. This flaw can allow attackers to exploit a well-known web security weakness called SQL Injection. Specifically, the issue is found in how the application processes the id parameter.

In this article, we'll break down what this vulnerability is, how it works, and show a simple example exploit. This write-up is meant to be straightforward and easy to follow, even if you're new to web security.

What is SQL Injection?

SQL Injection is one of the oldest and most dangerous vulnerabilities in web applications. It happens when user-supplied data is sent to the database without proper filtering, allowing attackers to interfere with the queries an application makes to its database.

The Vulnerable Code (Simplified Example)

Let's look at a simplified version of how this vulnerability might appear in PHPjabbers PHP Shopping Cart. Suppose there is a PHP file that gets product information using a GET parameter called id:

<?php
// Vulnerable code
$id = $_GET['id'];
$sql = "SELECT * FROM products WHERE id = $id";
$result = mysqli_query($conn, $sql);

if ($result) {
    // Show product
} else {
    // Error
}
?>

In the code above, no checks are made to ensure that $_GET['id'] is actually just a number. Because of this, an attacker can inject their own SQL commands, tricking the database into doing something dangerous.

Suppose a customer visits this product URL

http://example.com/product.php?id=1

Normally, this will show the product with ID 1. But what if a hacker changes the URL to this?

http://example.com/product.php?id=1 OR 1=1

The resulting SQL query now becomes

SELECT * FROM products WHERE id = 1 OR 1=1

Now, every product might be shown, or the entire database could be dumped if the query is used elsewhere.

Attackers can also try to extract sensitive information using UNION SELECT statements, or even modify or delete data.

Suppose the database has a users table. An attacker might try

http://example.com/product.php?id=1 UNION SELECT 1,username,password,4,5 FROM users--

Note: The number of fields in the SELECT needs to match the query, but this is just for demonstration.

Prepared statements separate data from code and make these attacks impossible

<?php
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM products WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
// ...
?>

Make sure id is an integer

$id = intval($_GET['id']);

3. Least Privilege Database Accounts

The app's database account should only have the permissions it needs — never ROOT or ALL.

Original References

- CVE Details for CVE-2023-43274
- Exploit-DB: PHPjabbers PHP Shopping Cart 4.2 SQL Injection
- PHPjabbers Official Site

Conclusion

CVE-2023-43274 is a real-world example of why SQL Injection is still such a critical issue in web applications. By understanding how it works and how to fix it, you can help keep your site and users safe. If you use PHPjabbers Shopping Cart, be sure to patch or update your installation right away!

Timeline

Published on: 09/21/2023 14:15:10 UTC
Last modified on: 09/22/2023 02:15:02 UTC