CVE-2022-43125 - SQL Injection in Online Diagnostic Lab Management System v1. (Exclusive Long Read)

In 2022, a serious vulnerability known as CVE-2022-43125 was discovered in the Online Diagnostic Lab Management System v1.. This bug allows attackers to perform SQL injection by manipulating the id parameter on the /appointments/manage_appointment.php page. In this post, we will break down what this vulnerability is, how it works, and why it matters. We also provide code examples and references for further reading.

What is SQL Injection?

SQL injection is a type of web security flaw where an attacker interferes with the queries an application sends to its database. By injecting malicious SQL code into input fields, attackers can view, modify, or delete data without authorization.

Vulnerable Application: Online Diagnostic Lab Management System v1.

This popular PHP and MySQL-based lab management system lets clinics schedule appointments, manage patient data, and handle billing, all over the web. But in version 1., the manage_appointment.php file is not secure when using the id parameter.

The application takes an id from the URL and uses it in a SQL query. For example

https://example.com/appointments/manage_appointment.php?id=2

Here’s a simplified (and vulnerable) PHP code snippet from manage_appointment.php

<?php
// BAD: No validation or escaping of user input!
$id = $_GET['id'];
$query = "SELECT * FROM appointments WHERE id = $id";
$result = mysqli_query($conn, $query);
?>

What’s Wrong?

This code takes whatever a user puts in the id parameter and inserts it directly into the SQL query. If an attacker sends smartly crafted input, they can control or break the query.

Because there’s no validation, an attacker can use SQL syntax to modify the query. For example

https://example.com/appointments/manage_appointment.php?id=2 OR 1=1

Injected query

SELECT * FROM appointments WHERE id = 2 OR 1=1

Want to get all usernames and passwords? Try

https://example.com/appointments/manage_appointment.php?id= UNION SELECT 1,username,password,4 FROM users--

Injected query

SELECT * FROM appointments WHERE id =  UNION SELECT 1,username,password,4 FROM users--

Risks and Impact

- Sensitive Data Exposure: Attackers can access user info, appointment details, lab results, billing data, and more.

How to Fix CVE-2022-43125

Always sanitize and validate user input. The best way is to use prepared statements. Here’s how to update the code:

<?php
// GOOD: Use prepared statements to prevent SQL injection
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM appointments WHERE id = ?");
$stmt->bind_param("i", $id); // 'i' means integer
$stmt->execute();
$result = $stmt->get_result();
?>

Pro Tip: Never trust user input. Always validate and escape data.

Original References and Further Reading

- CVE Details for CVE-2022-43125
- NVD - National Vulnerability Database: CVE-2022-43125
- Exploit Database Entry
- OWASP: SQL Injection Prevention Cheat Sheet

Final Thoughts

CVE-2022-43125 is a textbook example of why developers must never trust user input. By using prepared statements and proper validation, vulnerabilities like this can be easily avoided. If you run Online Diagnostic Lab Management System v1., update your code or patch your application right away.

Stay safe and secure those inputs!

*If you found this post helpful, share it with your developer friends or your IT department to help spread awareness.*

Timeline

Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/01/2022 23:33:00 UTC