CVE-2023-33817: HotelDruid v3..5 SQL Injection Vulnerability Discovered

A SQL injection vulnerability has been discovered in HotelDruid v3..5, a widely used open-source hotel management software. This vulnerability, dubbed CVE-2023-33817, puts a considerable number of hotel websites at risk. In this post, we will delve deeper into the details of the exploit by providing code snippets and original references to help users understand and react to this security threat.

Background

HotelDruid is a popular property management system (PMS) used by numerous hotels and accommodation vendors worldwide. It's an open-source solution that provides users with online booking, room management, and invoicing options. However, the software's v3..5 still harbors a critical SQL injection vulnerability.

Description

The SQL injection vulnerability allows cyber attackers to execute arbitrary SQL code by exploiting a weakness in the software's input validation. By sending a maliciously crafted request to the affected web application, an attacker can bypass authentication checks and gain unauthorized access to sensitive data.

An attacker may use this vulnerability to manipulate the database entries, read confidential information such as user credentials and personal data of guests, or even compromise the entire HotelDruid system.

Code Snippet

The vulnerability lies in HotelDruid's "gestionale.inizio.php" file, specifically in the code that processes user-supplied input data. The following code snippet demonstrates the issue:

$date_inventario = addslashes($_POST['date_inventario']);
$inserti_query_rel = '';
if ($torna_indietro) {
$inserti_query_rel .= "utente_inserimento,";
$lista_valori_rel .= "'".$_SESSION['id_utente']."',";
} # fine if ($torna_indietro)

The missing input validation allows an attacker to send a malicious request, such as

POST /gestionale.inizio.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
...
date_inventario=2022-01-01'+and+(select+1+from+(select+sleep(10))+a)+'&submit=Search

Original References

The discovery of the CVE-2023-33817 vulnerability was initially reported by LinuxGazette in its advisory published on their website:

- LinuxGazette Advisory

Additionally, the National Vulnerability Database (NVD) has published an entry for this vulnerability:

- NVD Entry

Mitigation

To fix the vulnerability, users running HotelDruid v3..5 should update their software to the latest version available at the HotelDruid website. Developers should also ensure proper input validation and parameterization of SQL queries to prevent future SQL injection vulnerabilities.

Conclusion

CVE-2023-33817 is a critical SQL injection vulnerability affecting HotelDruid v3..5, putting hotels, rental properties, and guesthouses at risk of a security breach. By exploiting this vulnerability, an attacker can gain unauthorized access to confidential data or compromise the entire system. It's essential to update the HotelDruid to the latest version and ensure proper input validation and SQL query parameterization to mitigate the risk.

Timeline

Published on: 06/13/2023 21:15:00 UTC
Last modified on: 06/17/2023 03:12:00 UTC