CVE-2023-27112 - SQL Injection in pearProjectApi v2.8.10 (project.php `projectCode` Parameter) Explored

In early 2023, a serious vulnerability was discovered in the popular open-source tool pearProjectApi, version 2.8.10. This post dives into CVE-2023-27112, an SQL injection bug affecting the projectCode parameter in the project.php script. We'll explain the issue in plain English, break down how it works, show a proof-of-concept code snippet, and point you to the official references.

What is pearProjectApi?

pearProjectApi is a PHP-based project management API, commonly used in web projects to manage project data, tasks, and users. Versions before the patch included inadequate input handling, allowing attackers to manipulate SQL statements.

What Is SQL Injection?

SQL Injection (SQLi) is a vulnerability that allows attackers to interfere with queries that an application makes to its database. If user input isn’t properly sanitized, an attacker can send malicious data — potentially extracting, modifying, or deleting critical information.

Where is the bug?

The vulnerable code is in project.php, specifically in how it processes the projectCode parameter.

A simplified and vulnerable code snippet looks like this

// project.php (partial, vulnerable code)
$projectCode = $_GET['projectCode'];
$sql = "SELECT * FROM projects WHERE project_code = '$projectCode'";
$result = mysqli_query($conn, $sql);

Here, user-supplied input from $_GET['projectCode'] is directly embedded in the SQL statement without sanitization or use of prepared statements.

If an attacker can control the projectCode GET parameter, they can inject SQL code. For example

GET /project.php?projectCode=123' OR 1=1 --

This would turn the SQL into

SELECT * FROM projects WHERE project_code = '123' OR 1=1 --'

The OR 1=1 part forces the query to always return true, potentially exposing all projects.

Proof-of-Concept Exploit

Let’s see a practical example. Assume the web application runs at http://victim-site.com/project.php.

GET /project.php?projectCode=123'%20UNION%20SELECT%201,username,password,4%20FROM%20users--+

Break out of the existing string with '

2. Use the SQL UNION operator to combine another query, here pulling the username and password from the users table

Comment out the rest of the original SQL with --

Depending on the application structure, this can dump sensitive database info in the page response.

Patched: March 2023

Original Reference and CVE Entry:
- NVD - CVE-2023-27112
- Packet Storm Advisory
- ExploitDB #51332
- pearProjectApi GitHub (patch commit)

How to Fix (For Developers)

1. Never trust user input. Always use prepared statements or parameterized queries in PHP with MySQLi or PDO.

Secure code example

$projectCode = $_GET['projectCode'];
$stmt = $conn->prepare("SELECT * FROM projects WHERE project_code = ?");
$stmt->bind_param("s", $projectCode);
$stmt->execute();
$result = $stmt->get_result();

Look for suspicious SQL strings in web logs (like ' OR 1=1).

- Run vulnerability scanners or use tools like sqlmap to test your application.

Conclusion

CVE-2023-27112 is a classic but widespread vulnerability, reminding all PHP developers to stay vigilant with user input. If you use pearProjectApi v2.8.10 or older, act fast—update your code and audit for other insecure practices!

If you have any questions, feel free to ask below or check the links for more technical details.

Timeline

Published on: 01/21/2025 22:15:09 UTC
Last modified on: 03/13/2025 21:15:37 UTC