A critical vulnerability has been found in the popular SourceCodester Canteen Management System, a web-based solution used by schools, colleges, and workplaces to manage canteen-related tasks. This vulnerability has been assigned the identifier CVE-2022-4222 and poses a significant risk to users of the affected system. It has been rated as critical due to the potential for remote attackers to exploit this vulnerability and gain unauthorized access to sensitive information.
The vulnerability lies within the function query of the file ajax_invoice.php and is related to the handling of POST requests. Specifically, the manipulation of the search argument can lead to SQL injection. This type of attack allows attackers to execute arbitrary SQL queries on the database, potentially leading to unauthorized access and data retrieval or manipulation.
This post aims to provide a comprehensive look at this vulnerability, including code snippets, links to original references, and further details on the exploit.
The vulnerable function query in ajax_invoice.php has a code snippet similar to the one below
$srch = $_POST["search"]["value"];
$query .= "SELECT * FROM invoice WHERE id LIKE '%" . $srch . "%' OR invoice_no LIKE '%" . $srch . "%'";
In this code snippet, it's evident that the $srch variable is directly utilized in the SQL query without any sanitization. This lack of proper input validation leaves the system open to potential SQL injection attacks.
The vulnerability has been disclosed and can be found in the following public sources
1. Original vulnerability report
2. SourceCodester Canteen Management System official website
Exploit Details
The exploit for this vulnerability involves sending a specially crafted POST request to the ajax_invoice.php endpoint. By crafting the search argument in such a way that valid SQL queries are included, an attacker can trick the system into interpreting it as part of the SQL statement, thus allowing them to execute arbitrary queries.
For example, an attacker might send the following malicious POST request
POST /ajax_invoice.php HTTP/1.1
search: %' OR 1=1;--
In this case, the SQL query would become
SELECT * FROM invoice WHERE id LIKE '%' OR 1=1;--' OR invoice_no LIKE '%' OR 1=1;--'
This query would essentially return all records from the invoice table, effectively bypassing any search filters. A more advanced attacker might exploit this vulnerability to gain unauthorized access to sensitive data, modify or delete records, or even gain control over the entire database.
It is crucial for users of SourceCodester Canteen Management System to be aware of this critical vulnerability and to take necessary measures to protect their systems from potential exploitation.
Conclusion
CVE-2022-4222 is a critical vulnerability present in the SourceCodester Canteen Management System, and it allows remote attackers to perform SQL injection attacks by manipulating the search argument in the POST request handler of the ajax_invoice.php component. It is essential for users of the affected system to take action to protect their data and systems from potential attacks.
Users should either promptly apply any available security patches or work with developers to understand how to add proper input validation and sanitization to prevent SQL injection vulnerabilities. Staying informed on security vulnerabilities and taking quick action can help protect your data and keep your systems secure.
Timeline
Published on: 11/30/2022 07:15:00 UTC
Last modified on: 12/01/2022 23:41:00 UTC