A SQL injection vulnerability in the Food Ordering Management System (FOMS) version 1. has been identified, registered under CVE-2022-42990. This critical security issue, found in the application's all-orders.php component, allows attackers to execute arbitrary SQL queries by exploiting the vulnerable 'status' parameter. To mitigate this risk, it is highly recommended that affected installations be patched or updated immediately.

In this long read post, we will provide details about the vulnerability, including example code snippets, links to relevant references, and insights into the potential exploits associated with this security flaw.

Vulnerability Details

In FOMS v1., the all-orders.php is responsible for managing orders, filtering them based on their current status. However, a lack of proper input validation leads to SQL injection attacks when manipulated 'status' values are passed through the query.

The affected code snippet within all-orders.php demonstrates how the SQL query is constructed

$order_status = $_GET['status'];
$query = "SELECT * FROM tbl_order WHERE active='$active' AND status='$order_status'";
$result = mysqli_query($conn, $query);

An attacker can manipulate the 'status' parameter, appending arbitrary SQL queries and executing them, potentially modifying or accessing sensitive user data without proper authorization.

Consider the following URL within the Food Ordering Management System v1.

https://example.com/foms/all-orders.php?status=Cancelled%20by%20Customer

An attacker can exploit this SQL injection vulnerability by altering the 'status' parameter as shown below:

https://example.com/foms/all-orders.php?status=Cancelled%20by%20Customer'%20OR%201=1--

The modified URL appends an 'OR 1=1—' SQL statement, which alters the original query, allowing attackers to view all orders regardless of their current status.

Impact

An attacker can leverage this vulnerability to access, modify or delete sensitive data, compromise the integrity of the database, and exploit other potentially vulnerable components within the Food Ordering Management System v1.. Unauthorized access to the user's account, payment information, personal details, and more can lead to fraud, privacy invasion, and severe detrimental effects on affected businesses and users.

Solution

To mitigate this security risk, users of Food Ordering Management System version 1. should immediately apply patches or updates provided by the vendor. In the meantime, input validation and prepared statements can be implemented in the all-orders.php file to prevent SQL injection attacks.

- Official CVE-2022-42990 Record
- Security Advisory on Food Ordering Management System v1.
- NIST National Vulnerability Database Entry for CVE-2022-42990

Conclusion

CVE-2022-42990 demonstrates a critical SQL injection vulnerability found in the Food Ordering Management System v1.. Proper input validation and prompt security updates are necessary to protect sensitive user data and maintain the trust and integrity of businesses using this software. Stay vigilant and employ best security practices to keep your applications and users safe.

Timeline

Published on: 11/07/2022 16:15:00 UTC
Last modified on: 11/08/2022 04:24:00 UTC