A critical vulnerability, classified as CVE-2022-3714, has been discovered in the SourceCodester Online Medicine Ordering System 1., an online platform used by medical stores and pharmacies to manage and streamline medicine orders. This vulnerability affects an unknown function within the 'admin/?page=orders/view_order' file, potentially allowing attackers to perform SQL Injection attacks. By exploiting this vulnerability, hackers can remotely inject malicious SQL queries, compromising the security and integrity of the affected system.

Exploit Details ###

Vulnerability Type: SQL Injection
Software Affected: SourceCodester Online Medicine Ordering System 1.
File Affected: admin/?page=orders/view_order
Attack Vector: Remote
CVE Identifier: CVE-2022-3714
Assigned VDB Identifier: VDB-212346

Vulnerability Description ###

The vulnerability exists due to a lack of proper input validation in the 'id' argument. By manipulating the input passed to the 'id' argument, attackers can inject SQL queries into the affected database, potentially leading to unauthorized access, data theft, and other devastating consequences.

The affected portion of code in the "admin/?page=orders/view_order" file can be shown as follows

$id = $_GET['id'];
$query = "SELECT * FROM orders WHERE id = '".$id."'";
$result = mysqli_query($con, $query);
$row = mysqli_fetch_array($result);

In the above code snippet, the '$id' variable retrieves the input from the 'id' argument, and the value is directly appended to the SQL query without proper sanitization or validation.

To exploit this vulnerability, an attacker can follow these steps

1. Identify the vulnerable URL of the affected system (Example: http://target_site.com/admin/?page=orders/view_order&id=)
2. Craft a malicious SQL query exploiting the 'id' argument (Example: http://target_site.com/admin/?page=orders/view_order&id=1%20AND%20(INSERT MALICIOUS SQL QUERY HERE))

Detailed information about the vulnerability is published in the following security advisories

- CVE Detail (CVE-2022-3714)
- Exploit Database (VDB-212346)

Mitigation and Prevention ###

To mitigate and prevent the effects of this vulnerability, developers and users of SourceCodester Online Medicine Ordering System 1. must take the following actions:

Update the affected software to the latest version, if available

2. Implement proper input validation and sanitization measures for the 'id' argument in the affected code

Monitor the affected system for any unusual activities

In conclusion, CVE-2022-3714 is a critical vulnerability affecting SourceCodester Online Medicine Ordering System 1. with far-reaching implications. Immediate action must be taken to secure the affected systems and prevent malicious attacks leveraging this vulnerability. Stay updated on the latest patches and security fixes to ensure your systems remain protected.


Published on: 10/27/2022 10:15:00 UTC
Last modified on: 10/28/2022 18:29:00 UTC