A recent discovery was made regarding a security vulnerability in the Canteen Management System v1.. The software is used for managing canteens and keeping track of various operations like the stock of items, sales, and cash collection. This post presents a detailed analysis of the discovered SQL Injection vulnerability, which allows attackers to execute malicious SQL queries on the back-end database, potentially accessing sensitive information or modifying data.

Exploit Details

The vulnerability lies within the 'id' parameter of the 'editcategory.php' file. By sending a specifically crafted request to the 'editcategory.php' script, an attacker could inject their own SQL commands, leading to unauthorized access and action on the back-end database.

The following code snippet illustrates the vulnerable parameter in the 'editcategory.php' script

<?php
    // ...
    $id = $_REQUEST['id'];
    // ...
    $sql = "SELECT * FROM category WHERE id = $id";
    // ...
?>


In the above snippet, the 'id' parameter is obtained directly from the user request without any sanitization, which leaves the door open for an attacker to manipulate the SQL query.

Proof-of-Concept

A Proof-of-Concept (PoC) for the exploit can be achieved by sending a malicious GET request to the target application, injecting SQL code into the 'id' parameter. An example of the PoC is shown below:

http://target-server/youthappam/editcategory.php?id=1 OR 1=1--


In this example, the SQL query will be manipulated to return all rows in the category table, bypassing the intended restriction of only returning the row with the specific 'id'.

Mitigation

To fix this vulnerability, developers should add proper input validation and sanitization mechanisms. By using prepared statements and parameterized queries, the risk of SQL injection can be significantly reduced. Below is an example of how to implement prepared statements with the PHP Data Objects (PDO) extension:

<?php
    // ...
    $id = $_REQUEST['id'];
    // ...
    $sql = "SELECT * FROM category WHERE id = ?";
    $stmt = $pdo->prepare($sql);
    $stmt->execute([$id]);
    // ...
?>

Original References

1. Original Advisory
2. Canteen Management System v1. Homepage
3. PHP Manual - PDO Prepared statements

Conclusion

This post examined the details of the recently discovered SQL Injection vulnerability (CVE-2022-43290) in the Canteen Management System v1.. By addressing this vulnerability and following secure coding practices, the risk of data breaches and unauthorized access to sensitive information can be minimized, ensuring a more robust and safe application environment. If you are a developer or administrator of a Canteen Management System, it is crucial to be aware of this vulnerability and apply proper mitigation steps to safeguard your system.

Timeline

Published on: 11/09/2022 15:15:00 UTC
Last modified on: 11/10/2022 15:02:00 UTC