CVE-2022-43229 - SQL Injection Vulnerability in Simple Cold Storage Management System v1. – A Deep Dive

In late 2022, a security researcher discovered a dangerous SQL injection vulnerability in the Simple Cold Storage Management System v1.. Tracked as CVE-2022-43229, this bug allowed attackers to tamper with the application's database through the id parameter at the /bookings/update_status.php endpoint. In this post, we'll break down how this bug works, how you can test it, and why it's a big deal, all in straightforward language.

What is Simple Cold Storage Management System?

The Simple Cold Storage Management System is a web-based app, often used by warehouse workers, cold storage managers, and inventory controllers. It helps track which items are in cold storage, who's renting storage space, and the status of various bookings.

Reference:  
- Official Download Page (sourcecodester.com)

What is CVE-2022-43229?

This vulnerability is a classic SQL Injection flaw. Specifically, the application takes user input from a web request and inserts it directly into an SQL query, without proper validation or sanitization. Attackers can send specially crafted values to trick the application into running arbitrary SQL code. This could leak private data, tamper with records, or even compromise the whole system.

The bug sits inside the following file

/bookings/update_status.php

The vulnerable parameter is

id

When a legitimate user (like an admin or staff) tries to update a booking's status, the page reads the id parameter from their request (usually a URL or form field) and uses it to select and update booking information in the database.

Here's an example of the vulnerable PHP code in /bookings/update_status.php

<?php
// Connect to database
include('../database/connection.php');

if(isset($_GET['id'])) {
    $id = $_GET['id'];
    $status = $_GET['status']; // e.g. 'pending' or 'completed'
    $sql = "UPDATE bookings SET status='$status' WHERE id=$id";
    $result = mysqli_query($conn, $sql);

    if ($result) {
        echo "Status updated successfully!";
    } else {
        echo "Error updating status.";
    }
}
?>

What's wrong here?
Notice that $id is taken directly from user input and plugged into an SQL statement with no checks. An attacker can manipulate id to inject their own SQL code!

A staff member makes this request to update booking #5

GET /bookings/update_status.php?id=5&status=completed

An attacker can make a request like

GET /bookings/update_status.php?id=5 OR 1=1&status=completed

Now, the SQL query becomes

UPDATE bookings SET status='completed' WHERE id=5 OR 1=1

Since 1=1 is always true, *all* bookings could get updated!

Example 2: Data Dump

Attackers can exert more control and try to extract data (though this usually needs some extra error printing, but you get the idea):

GET /bookings/update_status.php?id=5;SELECT+user(),database(),version();--&status=completed

This appends new SQL statements to the query, possibly leaking database info if error outputs are shown.

Want to check if your system is at risk? Try the following steps (for educational purposes only)

1. Prepare a backup of your database – you don't want to break things.

2. Browse to

http://[YOUR_SERVER]/bookings/update_status.php?id=1'; OR '1'='1&status=completed

3. Observe the result. If the response shows multiple bookings are changed, or the application displays unusual errors, the system is likely vulnerable.

How to Fix It

The best solution is to use prepared statements. These let the database tell apart actual data from SQL instructions, stopping attackers from injecting code.

Here’s how the fixed code might look

<?php
// Connect to database
include('../database/connection.php');

if(isset($_GET['id'])) {
    $id = intval($_GET['id']); // or use prepared statements
    $status = $_GET['status'];

    $stmt = $conn->prepare("UPDATE bookings SET status=? WHERE id=?");
    $stmt->bind_param("si", $status, $id);
    $stmt->execute();

    if ($stmt->affected_rows > ) {
        echo "Status updated successfully!";
    } else {
        echo "Error updating status.";
    }
}
?>

More Resources

- NVD Entry for CVE-2022-43229
- OWASP SQL Injection Explanation
- Simple Cold Storage Management System on SourceCodester

Conclusion

CVE-2022-43229 is a big reminder that even small, simple apps can have high-impact vulnerabilities. If you’re running the Simple Cold Storage Management System or any similar custom PHP project, always use prepared statements and never trust user input. Regular security checks and quick patching can make the difference between routine operations and a full-blown data breach.

Timeline

Published on: 10/28/2022 18:15:00 UTC
Last modified on: 10/28/2022 19:47:00 UTC