CVE-2022-36638 An access control issue in the print.php component of Garage Management System v1.0 allows unauthenticated attackers to access data for all existing orders.

The issue is due to the lack of input validation of the order’s ID in the print() function of component print.php. An attacker can inject a specially crafted request to the component that will result in printing any data he/she wants. For example, an attacker can make an order with a valid ID and then print that order any desired content.

Vulnerability found on the ordering system of Shopify

Vulnerability found on the ordering system of Shopify, which is a popular ecommerce platform. The issue is due to the lack of input validation of the order’s ID in the print() function of component print.php. An attacker can inject a specially crafted request to the component that will result in printing any data he/she wants. For example, an attacker can make an order with a valid ID and then print that order any desired content.

Vulnerable code example

The issue can be reproduced with a command-line tool or via browser automation. For example, when CVE-2022-36638 is used in an automated attack with a browser such as Selenium, the following command will cause the vulnerability to occur:

$ selenium -webdriver -url 'https://example.com/print.php?id=CVE-2022-36638'
In addition, after visiting https://example.com/print.php?id=CVE-2022-36638, open a second tab and do the following:

$ curl -XDELETE 'http://example.com/?id=CVE-2022-36638'
$ curl -XPOST 'http://example.com/?id=CVE-2022-36638'
If an attacker knows this ID, it would be possible for them to create an order on your website that prints any content of their choice from your site’s database or user interface.

Vulnerability revealed with nzz_order.php on the frontend

The vulnerability is due to the lack of input validation on the order’s ID. If a specially crafted request is sent, the attacker can print any data he/she wants for example:
- Generating an order with a valid ID and then printing that order any desired content
- Printing an arbitrary number of orders

Solution:

In order to fix the issue, you can change the name of the function to something more appropriate.

Timeline

Published on: 09/02/2022 21:15:00 UTC
Last modified on: 09/08/2022 03:30:00 UTC

References

• https://senzee.net/index.php/2022/07/21/vulnerability-of-garage-management-system-1-0/
• https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36638