CVE-2023-38899

Vulnerability

O_Blog version 1.0, a PHP-based social article network application, contains a SQL injection vulnerability in the login mechanism. The eposta parameter in the POST request to /O_Blog-main/ is not properly sanitized, allowing an attacker to inject arbitrary SQL commands. The official description notes that the vulnerability is related to the secure_file_priv component, which in MySQL restricts file operations; exploitation can bypass this restriction. The issue is demonstrated in the project's issue tracker [3].

Exploitation

An attacker with network access to the O_Blog login page can craft a malicious POST request. The provided proof-of-concept includes a payload such as eposta=2384693535@qq.com' or 1=1#&sifre=31232132, which injects a tautology to bypass authentication. The secure_file_priv component is then leveraged to read or write files on the database server, potentially allowing privilege escalation. No user interaction beyond submitting the login form is required [3].

Impact

Successful exploitation leads to authentication bypass, allowing the attacker to gain unauthorized access as any user. By further exploiting the SQL injection to interact with file operations (via the secure_file_priv component), the attacker can escalate privileges to a higher level, possibly gaining administrative control over the application and reading or writing arbitrary files on the underlying database server [1][3].

Mitigation

As of the publication date, no patched version has been released. The project's GitHub repository does not show an explicit fix or security advisory [1][2]. Users should consider applying input validation and parameterized queries to all user-supplied input, especially the login fields, and restrict MySQL secure_file_priv settings to prevent file system access. The application may be abandoned or unmaintained; migrating to a supported alternative is recommended.