---
Hello everyone!

Today, I am going to discuss a new security vulnerability discovered in lmxcms v1.4.1, which has been assigned the CVE identifier CVE-2023-29598. This vulnerability is a SQL injection exploit and affects the setbook parameter in the index.php file. In this post, I'll be providing details about the vulnerability, including a code snippet, exploit details, and links to the original references.

Vulnerability Summary

The lmxcms v1.4.1 web application, which is widely used for content management, has been found to contain a serious SQL injection vulnerability. The issue arises due to improper input validation and affects the 'setbook' parameter at index.php. An attacker could exploit this vulnerability to inject malicious SQL queries into the backend database, leading to unauthorized access to sensitive information or other severe consequences.

Code Snippet

The vulnerable code can be found in the index.php file, where the setbook parameter is handled. The code does not properly sanitize input and allows an attacker to submit an SQL injection payload via the setbook parameter. Here's a snippet of that code:

$setbook = $_GET['setbook'];

Later on in the code, the unsanitized input is used to construct an SQL query, making it vulnerable to SQL injection.

$sqlQuery = "SELECT * FROM books WHERE book_id = '{$setbook}'";
$result = mysqli_query($connection, $sqlQuery);

Exploit Details

To exploit this vulnerability, an attacker needs to send a specially crafted HTTP request with an SQL payload in the 'setbook' parameter. For example, the attacker can use a web browser to send the following HTTP request:

http://target-site.com/index.php?setbook='; OR '1'='1

This will result in an SQL query on the server-side that bypasses any intended access controls, giving the attacker unauthorized access to sensitive data stored in the database.

For a more sophisticated attack, the attacker could use a tool such as sqlmap to automate the process and extract data from the database.

Original References

- Recorded Future: lmxcms v1.4.1 SQL Injection - CVE-2023-29598
- NVD: National Vulnerability Database Entry for CVE-2023-29598

Mitigation Steps

As a temporary measure, it is recommended that users of lmxcms v1.4.1 apply a patch to the index.php file to protect their web applications from this vulnerability. The following code should be used to sanitize the 'setbook' parameter before using it in any SQL queries:

$setbook = intval($_GET['setbook']);

However, the best course of action is to update to the latest version of lmxcms, which should address this issue along with any other potential vulnerabilities. Keep an eye out for any updates or announcements from the developers.

In conclusion, the discovery of this SQL injection vulnerability in lmxcms v1.4.1 highlights the importance of proper input validation and the need for robust security measures in web applications. Users and developers alike should remain vigilant in identifying and mitigating potential security risks.

Timeline

Published on: 04/13/2023 14:15:00 UTC
Last modified on: 04/21/2023 17:07:00 UTC