CVE-2017-7581
published 2017-04-07CVE-2017-7581: SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
48.43%
98.7th percentile
SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| news_system_project | news_system | <= 5.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/typo3_news_module_sqli.rb↗
- →Monitor HTTP requests to TYPO3 News module endpoints for parameters 'overwriteDemand[order]' and 'overwriteDemand[OrderByAllowed]' containing SQL injection payloads (e.g., commas, SQL keywords, or boolean expressions used to manipulate ORDER BY clauses). ↗
- →Detect blind SQL injection timing/ordering attacks: the exploit infers data by observing whether news result ordering is inverted (News #2 before News #1) vs. normal (News #1 before News #2), indicating character-by-character extraction of credentials. ↗
- →Alert on unauthenticated requests targeting TYPO3 News extension version 5.3.2 or earlier (including 5.0.0) on TYPO3 3.16.0, particularly those manipulating SQL ORDER BY logic via the news list/detail view. ↗
- →Flag attempts to extract administrator username and password hash from the TYPO3 backend user table via the News module SQL injection vector — the Metasploit module specifically targets these credentials. ↗
- ·The SQL injection is exploitable by unauthenticated users, meaning no session or authentication token is required — perimeter controls relying on authentication checks will not block this attack. ↗
- ·The injection is blind/inferential (order-based), not error-based or UNION-based, so WAF signatures looking only for classic UNION SELECT or error-triggering payloads may miss this attack. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-04-07
Published