CVE CyberSecurity Database News

CVE-2023-5032 - Critical SQL Injection Vulnerability in OpenRapid RapidCMS 1.3.1

Poster -

A critical SQL injection vulnerability (CVE-2023-5032) has been found in the OpenRapid RapidCMS, version 1.3.1. The flaw exists in an administrative backend file, specifically /admin/article/article-edit-run.php, making sites powered by this CMS version susceptible to remote attack. The vulnerability is tracked as VDB-239876 in VulDB.

Anyone with network access can exploit this security hole and potentially control or destroy database contents. Exploit details have already been released publicly, raising the urgency for users to patch immediately.

What Is Affected?

+ Product: OpenRapid RapidCMS
+ Version: 1.3.1
+ File: /admin/article/article-edit-run.php
+ Vulnerable Parameter: id
+ Attack Vector: Remote (over HTTP/S)
+ Vulnerability Type: SQL Injection

Explaining the Vulnerability

The script /admin/article/article-edit-run.php takes in an id argument, likely without proper sanitization. If an attacker manipulates this variable and sends it in a request, unfiltered user input is stitched directly into an SQL query. This allows custom SQL commands to run against the database.

Sample Vulnerable PHP Code

Below is a simplified example of what the problematic code might look like inside article-edit-run.php:

<?php
// Assume admin authentication is handled elsewhere

$id = $_GET['id'];
$title = $_POST['title'];
$content = $_POST['content'];

// DANGEROUS: No validation or escaping for $id!
$sql = "UPDATE articles SET title='$title', content='$content' WHERE id=$id";
$result = mysqli_query($conn, $sql);

if ($result) {
    echo "Article updated!";
} else {
    echo "Update failed!";
}
?>

In this code, the variable $id could be set to any value the attacker wants—including malicious SQL code.

How Is It Exploited?

An attacker can directly inject arbitrary SQL using the id parameter in an HTTP request.

Example Exploit Request

Suppose you're logged in as an admin, or an attacker has gained admin session (or if authentication is missing or weak). The following request could be crafted to quickly test or exploit the SQL injection:

POST /admin/article/article-edit-run.php?id=1%20OR%201=1%23 HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded

title=Injected&content=Exploit

Here, the id parameter is set to 1 OR 1=1#, which alters the SQL statement, possibly updating all records or bypassing intended controls.

Possible Attack Outcomes

- Extracting database content (dumping credentials/data)

Correct Query Example

$id = intval($_GET['id']); // Cast to integer
$title = mysqli_real_escape_string($conn, $_POST['title']);
$content = mysqli_real_escape_string($conn, $_POST['content']);

$stmt = $conn->prepare("UPDATE articles SET title=?, content=? WHERE id=?");
$stmt->bind_param("ssi", $title, $content, $id);
$stmt->execute();

References

- VulDB CVE-2023-5032 Detail Page
- Exploit on Exploit-DB (if available)
- Mitre CVE Entry (pending)
- OWASP Guide: SQL Injection

Conclusion

CVE-2023-5032 is a dangerous vulnerability for anyone running OpenRapid RapidCMS 1.3.1. Exploiting this is straightforward—anyone who can hit the admin edit script might take over your site or steal your data. If you’re using this CMS, patch it or apply a safe coding fix right away. Always treat external input carefully, and never trust it in your SQL code without validation.

Stay safe and keep your applications up to date!

*This write-up is exclusive content, crafted to give you clear understanding and practical insights on this CVE. If you have questions or need help securing your CMS, consult the official documentation or reach out to reputable security professionals.*

Timeline

Published on: 09/18/2023 04:15:11 UTC
Last modified on: 11/07/2023 04:23:23 UTC