In this post, we're taking a close look at an SQL injection vulnerability (CVE-2023-42807) found in Frappe LMS, an open-source learning management system. This vulnerability affected versions 1.. and prior. Fortunately, the developers have fixed the issue, and users won't face it if they are using the latest main branch of the app.

Overview

Frappe LMS (https://github.com/frappe/school) is a popular, open-source learning management system designed to help educators and students better manage their courses, assignments, and grades. Recently, a security researcher discovered an SQL injection vulnerability on the People Page of LMS, present in versions 1.. and earlier.

Vulnerability Details

The vulnerability exists in the People Page, where an attacker could exploit it to gain unauthorized access to the system or modify data without permission. This issue stems from the unsafe handling of user input in SQL queries. Attackers could manipulate these queries to access sensitive information or gain unauthorized control of the system.

Here's a code snippet that demonstrates how the SQL injection vulnerability could be exploited

def get_people_list(search_value):
    connection = get_connection()
    cursor = connection.cursor()
    sql_query = f"SELECT * FROM users WHERE name LIKE '%" + search_value + "%';"
    cursor.execute(sql_query)
    people = cursor.fetchall()
    return people

In this example, the application takes the user's input (search_value) and concatenates it with the SQL query. An attacker could easily manipulate the search_value variable to inject malicious SQL code and cause unexpected behavior.

Patch and Mitigation

The Frappe LMS developers have addressed this vulnerability in the main branch of the repository. Users should update their applications to the latest main branch to avoid exposure to this SQL injection vulnerability.

Here's how the patched code snippet should look like

def get_people_list(search_value):
    connection = get_connection()
    cursor = connection.cursor()
    sql_query = "SELECT * FROM users WHERE name LIKE %s;"
    cursor.execute(sql_query, (f"%{search_value}%",))
    people = cursor.fetchall()
    return people

In the updated code, instead of concatenating user input directly into the SQL query, the application uses a placeholder (%s) and provides the user input as a separate variable in a tuple. This method prevents SQL injection attacks by ensuring that user input gets sanitized and treated as a data value rather than part of the SQL query.

Conclusion

CVE-2023-42807 is a critical SQL injection vulnerability found in Frappe LMS 1.. and prior versions. It's essential for users to update their applications by downloading the latest main branch from the Frappe LMS GitHub repository. By doing so, they can ensure the continued security and integrity of their learning management system.

Timeline

Published on: 09/21/2023 17:15:23 UTC
Last modified on: 09/25/2023 16:34:41 UTC