CVE-2023-38870: SQL Injection Vulnerability Discovered in Gugoan Economizzer Commit 373088 and v..9-beta1

A critical SQL injection vulnerability, identified as CVE-2023-38870, has been discovered in Gugoan Economizzer's commit 373088 (dated April 2023) and version .9-beta1. This vulnerability exists within the cash book feature that allows listing accomplishments by category. The 'category_id' parameter is particularly susceptible to SQL injection, posing severe risks to the affected software and data stored within the application.

Affected Application

Gugoan Economizzer commit 373088 (April 2023) and version .9-beta1.

Vulnerability Details

An attacker can inject malicious SQL queries using the 'category_id' parameter as an entry point. This inconsistency potentially allows unauthorized access to sensitive data stored within the cash book and can even lead to elevated privileges, depending on the SQL query executed.

Consider the following example illustrating the vulnerable code section

$category_id = $_GET['category_id'];
$query = "SELECT * FROM accomplishments WHERE category_id = $category_id;";
$result = mysqli_query($conn, $query);

In this example, the application takes the 'category_id' parameter directly from the user without any sanitation. An attacker can inject malicious SQL queries through this parameter, which can lead to bypassing authentication mechanisms and gaining unauthorized access.

Exploit Details

To demonstrate how this vulnerability can be exploited, consider the following URL containing the vulnerable 'category_id' parameter:

http://example.com/cashbook?category_id=1

An attacker could craft an SQL injection payload as a replacement for the 'category_id' parameter like this:

http://example.com/cashbook?category_id=1' OR 1=1; --

This crafted URL will cause the SQL query to return all records within the database, rather than filtering by the original 'category_id' value, showing that an attacker can manipulate the query as desired.

Original References

The details and proof-of-concept exploit for this vulnerability can be found in the following resources:

- CVE-2023-38870 at NVD
- Security Advisory Blog Post

Recommendation

To mitigate this vulnerability, it is strongly advised to sanitize the 'category_id' parameter before using it in any SQL query. Using prepared statements is a recommended method to prevent SQL injection attacks. Below is an example of utilizing prepared statements for this specific scenario:

$category_id = $_GET['category_id'];
$query = "SELECT * FROM accomplishments WHERE category_id = ?;";
$statement = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($statement, "i", $category_id);
mysqli_stmt_execute($statement);
$result = mysqli_stmt_get_result($statement);

In this revised code snippet, a prepared statement is used to separate the SQL query's structure from its data, preventing any possibility of SQL injection.

Note that the vulnerability has been addressed in the latest release of Gugoan Economizzer, and users are urged to update their application to the most recent, patched version available on the official GitHub repository.

Timeline

Published on: 09/28/2023 04:15:11 UTC
Last modified on: 10/03/2023 00:10:51 UTC