CVE-2024-1926 - Critical SQL Injection Vulnerability Discovered in SourceCodester's Free and Open Source Inventory Management System 1.

A critical vulnerability has been discovered in SourceCodester's Free and Open Source Inventory Management System 1.. The vulnerability is rated as critical and has been assigned the identifier VDB-254861. This issue affects the processing of the file /app/ajax/search_sales_report.php and can lead to SQL injection attacks. The vulnerability is triggered through the manipulation of the "customer" argument. As the attack may be initiated remotely, it is essential that administrators and users of SourceCodester's Inventory Management System take the necessary steps to secure their systems.

Details of the Vulnerability

The vulnerability exists in the /app/ajax/search_sales_report.php file, where the "customer" argument is not properly sanitized before being used in a SQL query. This allows malicious users to inject SQL code into the query, potentially allowing unauthorized access to the database, extraction of sensitive information, or other malicious actions. Here is a relevant code snippet:

<?php
...
$customer = $_GET['customer'];
...

$query = "SELECT * FROM sales_report WHERE customer = '$customer'";
...
?>

As we can see in the code snippet above, the $customer variable is retrieved directly from the GET request without any data sanitization or input validation. This allows an attacker to potentially manipulate the SQL query using standard SQL injection techniques.

Exploit Details

A remote attacker can exploit this vulnerability by sending a specially crafted GET request containing malicious SQL code in the "customer" parameter. This will cause the malicious code to be executed as part of the SQL query, potentially leading to unauthorized access to the database, data exfiltration, or other malicious actions.

For example, this URL can be manipulated to cause the SQL injection

https://example.com/app/ajax/search_sales_report.php?customer='; OR '1'='1

The original disclosure and confirmation of the vulnerability can be found in these sources

1. SourceCodester's Inventory Management System 1. - SQL Injection
2. CVE-2024-1926 - National Vulnerability Database

Mitigation and Recommendations

SourceCodester's users and administrators of the Free and Open Source Inventory Management System 1. should take the following steps:

Update to the latest version, if available, to patch the vulnerability.

2. Modify the vulnerable code to properly sanitize and validate user input before using it in SQL queries. Utilize prepared statements to avoid SQL injection attacks.
3. Ensure proper access controls and monitoring are in place for systems running the inventory management software.

Conclusion

The discovery of this critical vulnerability in SourceCodester's Inventory Management System 1. is a reminder of the importance of proper input validation and data sanitization. Exploiting this vulnerability can lead to unauthorized access, manipulation of data, or other harmful activities. To minimize the risk, administrators should implement the recommendations provided above, keep systems updated, and monitor for potential attacks.

Timeline

Published on: 02/27/2024 17:15:11 UTC
Last modified on: 03/21/2024 02:51:49 UTC