CVE-2024-1821 - Critical SQL Injection Vulnerability in Crime Reporting System 1.

A critical vulnerability, titled CVE-2024-1821, has been discovered in the Code-Projects Crime Reporting System 1.. This system is widely used for reporting criminal activities and assisting law enforcement agencies in managing cases. The vulnerability specifically affects the 'police_add.php' file and can lead to SQL injection attacks. Due to the severe impact of this vulnerability on data security, it is crucial for users and developers to understand the exploit and take appropriate action to mitigate the risks.

Technical Details

The vulnerability was discovered during an investigation into the Crime Reporting System's handling of user input data within the 'police_add.php' file. The file is responsible for processing information about police officers, including their names, IDs, specializations, and passwords.

During the examination, it was found that the input parameters 'police_name,' 'police_id,' 'police_spec,' and 'password' could be manipulated by an attacker to launch an SQL injection attack. These parameters are not adequately validated, so arbitrary SQL commands could be injected and executed by an attacker, resulting in unauthorized access to sensitive data.

The following code snippet from the 'police_add.php' file highlights the vulnerability

<?php
$police_name = $_POST['police_name'];
$police_id = $_POST['police_id'];
$police_spec = $_POST['police_spec'];
$password = $_POST['password'];

$sql = "INSERT INTO police (police_name, police_id, police_spec, password) VALUES ('$police_name', '$police_id', '$police_spec', '$password')";
$result = mysql_query($sql);
?>

In the above code, the user-supplied inputs are directly used in the SQL query without proper validation or prepared statements, making the application susceptible to SQL injection attacks.

The vulnerability has been assigned the identifier VDB-254609.

Exploit

An attacker can exploit this vulnerability by supplying malicious SQL commands as input to any of the affected parameters. By taking advantage of the weak input validation, an attacker could potentially access, modify, or delete sensitive data within the database. Additionally, this exploit could allow an attacker to escalate privileges within the system, compromising its overall security.

For instance, an attacker could provide the following input for the 'police_name' parameter

' OR 1=1; -- '

This input would cause the SQL query to return all records from the 'police' table, potentially revealing sensitive information about police personnel.

References

1. Code-Projects Crime Reporting System 1.
2. CVE-2024-1821
3. VDB-254609

Recommendations

Since this vulnerability is critical and may result in significant data breaches, users and developers must take immediate action to mitigate the risk.

1. Update to the latest version of the Crime Reporting System, incorporating any available security patches.
2. Implement proper input validation mechanisms, such as prepared statements, to prevent SQL injection attacks.

Regularly monitor system logs to detect any suspicious activities or unauthorized access attempts.

By taking these steps, users of the Crime Reporting System can safeguard their data and maintain a secure environment for handling sensitive information.

Timeline

Published on: 02/23/2024 16:15:47 UTC
Last modified on: 03/04/2024 19:15:19 UTC