CVE-2023-40945 - SQL Injection in Sourcecodester Doctor Appointment System 1. (doctors/myDetails.php $userid) – Detailed Analysis, Exploit, and Mitigation

Security researchers recently discovered a severe vulnerability—CVE-2023-40945—in the widely used Sourcecodester Doctor Appointment System 1.. This vulnerability is an SQL Injection flaw located in doctors/myDetails.php, specifically via the $userid variable. An attacker can use it to compromise sensitive data, takeover the database, or even gain control of the affected application.

In this post, we’ll break down how this vulnerability works, provide code snippets to help you understand, show a sample exploit, and point you to original references for more information.

What is SQL Injection?

SQL Injection lets an attacker manipulate queries to your database by injecting arbitrary SQL code, often leading to data theft or manipulation. It's one of the most common and dangerous web vulnerabilities.

The Vulnerable Code

The issue in Doctor Appointment System 1. lies in the doctors/myDetails.php file. The application fetches information about a doctor based on their user ID, passed through a variable named $userid. Here's a reconstructed snippet similar to what you'd find in the source code:

<?php
session_start();
include('dbconnection.php');
if (isset($_SESSION['userid'])) {
    $userid = $_SESSION['userid'];
    $query = "SELECT * FROM doctors WHERE id = '$userid'";
    $result = mysqli_query($con, $query);
    // ... handle $result ...
}
?>

What’s the problem?
The code takes $_SESSION['userid'] and inserts it directly into the SQL query without any sanitation or parameterization. If an attacker controls $_SESSION['userid'], they can inject arbitrary SQL.

How Can This Be Exploited?

Even though userid comes from the user session, there are several ways this variable’s value might be manipulated (e.g., via session fixation, untrusted code, or if session data is set directly by GET/POST in other parts).

Manipulate Session:

Assume the attacker already manipulated their session to set $_SESSION['userid'] to a malicious value, perhaps via another vulnerable endpoint, or even stealing a session cookie.

Extracting Data:

Attackers can use similar techniques to dump sensitive data, modify database content, or escalate their privileges.

If sessions are tracked via PHPSESSID cookies, a crafted request might look like

curl -b "PHPSESSID=attacker_session" "http://victim.com/doctors/myDetails.php";

Where, in a previous request (or via another bug), the attacker set their session's userid as

1' UNION SELECT 1,username,password,email FROM admins -- 

*If the query output is directly shown to the user, attackers could read admin usernames and password hashes.*

Original References

- CVE-2023-40945 Details – NVD
- Exploit-DB Report
- Sourcecodester Project Download and Docs

Conclusion

CVE-2023-40945 proves that even trusted variables like sessions can be dangerous if mishandled. If you use Sourcecodester Doctor Appointment System 1., audit your code for similar issues everywhere, not just in this file.

By understanding how these attacks work, you can prevent much bigger problems down the line. Patch your systems, and spread the word.

Stay safe!

*This post is exclusive content created for learning purposes, based on public advisories and analysis of the Doctor Appointment System 1. vulnerability.*

Timeline

Published on: 09/11/2023 20:15:10 UTC
Last modified on: 09/13/2023 03:49:35 UTC