CVE-2024-0655: Novel-Plus SQL Injection Vulnerability

CVE-2024-0655 Overview

A critical SQL injection vulnerability has been identified in Novel-Plus version 4.3.0-RC1, an open-source novel reading and management platform developed by xxyopen. The vulnerability exists in the /novel/bookSetting/list endpoint where the sort parameter is not properly sanitized before being used in SQL queries. This allows unauthenticated remote attackers to inject malicious SQL code, potentially leading to unauthorized data access, data manipulation, or complete database compromise.

Critical Impact

Unauthenticated attackers can exploit this SQL injection vulnerability to extract sensitive data, modify database contents, or potentially gain control over the underlying database server through the vulnerable sort parameter.

Affected Products

• xxyopen Novel-Plus version 4.3.0-RC1

Discovery Timeline

• 2024-01-18 - CVE-2024-0655 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-0655

Vulnerability Analysis

This SQL injection vulnerability (CWE-89) affects the book settings functionality of Novel-Plus. The application fails to properly validate and sanitize user input passed through the sort parameter when accessing the /novel/bookSetting/list endpoint. Because this parameter is directly incorporated into SQL queries without proper parameterization or input sanitization, attackers can inject arbitrary SQL statements that will be executed by the database engine.

The vulnerability is particularly severe because it does not require any authentication to exploit. An attacker can directly interact with the vulnerable endpoint from the network, crafting malicious requests that manipulate database operations. Successful exploitation could allow attackers to read sensitive user data, modify or delete database records, bypass authentication mechanisms, or in some configurations, execute operating system commands through database functions.

Root Cause

The root cause of this vulnerability is improper input validation in the Novel-Plus application. The sort parameter received from user requests is directly concatenated or interpolated into SQL queries without proper sanitization or the use of parameterized queries (prepared statements). This classic SQL injection pattern occurs when developers trust user input and fail to implement secure database query practices.

Attack Vector

The attack vector is network-based, requiring no user interaction or authentication. An attacker can craft HTTP requests to the /novel/bookSetting/list endpoint with a maliciously crafted sort parameter value. By injecting SQL syntax into this parameter, the attacker can alter the intended query logic.

For example, an attacker might manipulate the sort parameter to include SQL injection payloads such as ' OR 1=1--, time-based blind injection techniques, or UNION-based queries to extract data from other database tables. The public disclosure of this vulnerability, documented in the GitHub PoC Repository, increases the risk of exploitation as proof-of-concept details are available.

Detection Methods for CVE-2024-0655

Indicators of Compromise

• Unusual HTTP requests to /novel/bookSetting/list containing SQL syntax in the sort parameter
• Database error messages in application logs indicating malformed SQL queries
• Unexpected database query patterns or execution times suggesting time-based blind SQL injection attempts
• Evidence of data exfiltration or unauthorized database modifications

Detection Strategies

• Implement web application firewall (WAF) rules to detect SQL injection patterns in request parameters
• Monitor application logs for SQL syntax errors or unexpected query failures targeting the bookSetting functionality
• Deploy intrusion detection systems (IDS) with signatures for common SQL injection payloads
• Enable database audit logging to track unusual query patterns or unauthorized data access attempts

Monitoring Recommendations

• Configure real-time alerting for requests to /novel/bookSetting/list containing suspicious characters such as single quotes, double dashes, or SQL keywords
• Establish baseline metrics for normal database query performance and alert on anomalies that may indicate exploitation
• Review web server access logs for high-frequency requests to the vulnerable endpoint from single IP addresses

How to Mitigate CVE-2024-0655

Immediate Actions Required

• Restrict network access to Novel-Plus instances until patching is complete
• Implement WAF rules to block requests containing SQL injection patterns in the sort parameter
• Review database logs for evidence of prior exploitation and assess data integrity
• Consider taking the application offline if it contains sensitive data and cannot be immediately patched

Patch Information

As of the last modification date, no official patch information has been published by the vendor. Users should monitor the xxyopen Novel-Plus project for security updates and upgrade to a patched version when available. Additional vulnerability details can be found in the VulDB advisory.

Workarounds

• Deploy a web application firewall (WAF) configured to filter SQL injection attempts targeting the /novel/bookSetting/list endpoint
• Implement application-level input validation to sanitize the sort parameter, allowing only alphanumeric characters and expected sort field names
• Use network segmentation to limit access to the Novel-Plus application from untrusted networks
• If source code access is available, modify the vulnerable endpoint to use parameterized queries or prepared statements for all database operations involving user input