Sourcecodester’s Doctor Appointment System 1. is an online reservation system for healthcare professionals. The platform allows patients and doctors to communicate and schedule doctor appointments. Unfortunately, the platform has a critical vulnerability, tracked as CVE-2023-40945, which could allow an attacker to perform SQL injection attacks using the $userid variable in the doctors\myDetails.php file.

This long-read post aims to discuss the details about CVE-2023-40945, highlight the vulnerable code snippet, provide links to original references and external resources, and offer insights into potential exploit details. By the end of this post, you will have a solid understanding of this vulnerability and how it can affect the security of your systems.

Vulnerable Code Snippet

The vulnerability exists in the doctors\myDetails.php file and is related to the handling of the $userid variable. The code snippet that demonstrates the issue is as follows:

<?php
// ...
$userid = $_SESSION['doctorSession']['id'];
$query = "SELECT * FROM doctors WHERE id=" . $userid;
$result = mysqli_query($link, $query);
// ...
?>

In the code above, the application retrieves the user ID from the $_SESSION superglobal and assigns it to the $userid variable. However, there is no sanitization of this variable before using it in the $query for querying the database. This lack of sanitization makes the platform vulnerable to SQL injection attacks, as an attacker could inject malicious SQL code through the $userid variable.

1. Sourcecodester Doctor Appointment System 1.: https://www.sourcecodester.com/php/14761/doctor-appointment-system-php-full-source-code.html
2. CVE-2023-40945 - Official Entry in NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40945
3. OWASP - SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Exploit Details

An attacker could exploit this vulnerability by manipulating the session data and injecting malicious SQL strings into the $userid variable. Since input validation and output encoding processes are not implemented properly, the system becomes vulnerable to SQL injections.

A potential payload for exploiting this vulnerability could be as follows

1 OR 1=1; -- '

An attacker can inject this payload into the $userid variable, causing the SQL query to fetch all the records from the doctors table despite the user not being authenticated. This information could be further used to infiltrate the system’s sensitive data.

Mitigation

To protect your applications from this vulnerability, it is recommended to apply proper input validation, output encoding, and parameterized queries. One recommended practice is using prepared statements, as they can help prevent SQL injection attacks.

Here is an example of how the code snippet can be modified to mitigate the vulnerability using MySQLi prepared statements:

<?php
$userid = $_SESSION['doctorSession']['id'];
$query = "SELECT * FROM doctors WHERE id = ?";
$stmt = mysqli_prepare($link, $query);
mysqli_stmt_bind_param($stmt, 'i', $userid);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
// ...
?>

By implementing the mitigation measures mentioned above, you can secure your application against SQL injection attacks and protect your system from unauthorized access.

Conclusion

CVE-2023-40945 is a critical SQL injection vulnerability present in Sourcecodester Doctor Appointment System 1. due to insufficient handling of the $userid variable in the doctors\myDetails.php file. Developers using this platform must be cautious when handling user input and should implement proper input validation, output encoding, and parameterized queries to avoid such vulnerabilities. Following secure coding practices and regularly auditing the source code for vulnerabilities can help in maintaining the security and integrity of information systems.

Timeline

Published on: 09/11/2023 20:15:10 UTC
Last modified on: 09/13/2023 03:49:35 UTC