CVE-2023-27112 - Critical SQL Injection Vulnerability in pearProjectApi v2.8.10 Project Code Parameter

Introduction:

A severe SQL injection vulnerability has been discovered in the pearProjectApi v2.8.10. The vulnerability exists in the handling of the projectCode parameter at the project.php file, allowing remote attackers to execute malicious SQL queries, potentially resulting in unauthorized access to sensitive data or remote code execution. This vulnerability has been assigned the CVE-2023-27112 identifier.

Vulnerable Application:

The application in question, pearProjectApi v2.8.10, is a popular open-source project management tool designed for software development teams. The potentially affected system can be downloaded from the official GitHub repository at https://github.com/pear/ProjectAPI.

Exploit Details:

The vulnerability exists due to improper handling of user input within the projectCode parameter at the project.php file. An attacker can send a specially crafted request containing malicious SQL code as the projectCode parameter, which would then get executed as part of an SQL query on the backend database. This malicious request can potentially result in unauthorized access to sensitive data or remote code execution.

Here is a code snippet illustrating the SQL injection vulnerability within the project.php file

// Get project id from the project code
$projectCode = $_GET['projectCode'];
$query = "SELECT * FROM projects WHERE project_code = '" . $projectCode . "'";
$result = mysqli_query($connection, $query);

// Process the SQL query result
if (mysqli_num_rows($result) > ) {
    ...
} else {
    ...
}

As can be seen from the code snippet above, the $projectCode variable is directly taken from the user-supplied input ($_GET['projectCode']) and used in the SQL query without any kind of proper input filtering or sanitization. This lack of adequate input validation allows an attacker to easily inject malicious SQL code as the projectCode parameter.

Exploit Example

The following example demonstrates the exploit in action, using a simple payload to extract the username of the first record in the users table:

http://example.com/project.php?projectCode='; UNION SELECT 1,username,3,4,5 FROM users LIMIT 1 -- -

To remediate this SQL injection vulnerability, developers should take the following steps

1. Implement proper input validation techniques, such as PHP's built-in filter_var() function or prepared statements.

2. Use parameterized queries or stored procedures when processing SQL statements to minimize the risk of SQL injection.

3. In general, always follow secure coding best practices, such as the OWASP Top Ten Project recommendations.

Awareness and timely action can help ensure the security of your applications and minimize the risk of cyber attacks. Keep up-to-date with new findings and apply remediation as necessary to protect your environment from potential threats.

References

1. CVE-2023-27112 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27112
2. pearProjectApi v2.8.10 - https://github.com/pear/ProjectAPI
3. OWASP Top Ten Project - https://owasp.org/www-project-top-ten/

Timeline

Published on: 01/21/2025 22:15:09 UTC
Last modified on: 03/13/2025 21:15:37 UTC