CVE-2023-43144 - Projectworlds Assets Management System in PHP 1. SQL Injection Vulnerability

In today's era of digitalization, effective management of assets has become an integral part of various organizations to enhance productivity and reduce costs. To facilitate this, several asset management systems have been developed. Unfortunately, one such software, Projectworlds Assets Management System in PHP version 1., has been discovered to be vulnerable to SQL injection attacks, posing a significant security risk.

Vulnerability Details

A security vulnerability has been identified in the Projectworlds Assets Management System in PHP 1. software. This vulnerability, assigned the CVE identifier CVE-2023-43144, results from improper input handling in the "id" parameter of the "delete.php" file. Attackers can exploit this vulnerability to perform unauthorized actions and compromise the confidentiality, integrity, and availability of the affected system.

Exploit Details

The issue exists due to the lack of proper input validation in the "id" parameter present in the "delete.php" file. As a result, an attacker can inject malicious SQL queries and execute arbitrary SQL commands on the backend database. This can lead to unauthorized actions, such as data modification, information disclosure, and even complete system takeover in some cases.

Here is a code snippet highlighting the insecure code in "delete.php"

<?php
  include("config.php");
  $id = $_GET['id'];
  $sql = "DELETE FROM assets WHERE id='$id'";

  if (mysqli_query($conn, $sql)) {
    header("location: index.php");
  } else {
    echo "Error: " . mysqli_error($conn);
  }
?>

As seen in the code snippet above, the $id variable directly receives user input through the $_GET['id'] without any proper sanitation or validation. This variable is then used in the SQL query, allowing an attacker to insert malicious SQL code and exploit the vulnerability.

Proof of Concept

To demonstrate the vulnerability, an attacker can craft a URL with an SQL injection payload, as shown below:

http://example.com/delete.php?id=1'; OR '1'='1

By using this crafted URL, the attacker can manipulate the SQL query to always return true, potentially deleting all records from the "assets" table.

Mitigation

To mitigate the vulnerability, it's crucial to implement proper input validation and sanitation. One of the most effective ways is to use prepared statements with parameterized queries. Here's an example of how the code in "delete.php" can be modified to prevent SQL injection attacks:

<?php
  include("config.php");
  $id = $_GET['id'];

  $stmt = $conn->prepare("DELETE FROM assets WHERE id = ?");
  $stmt->bind_param("i", $id);

  if ($stmt->execute()) {
    header("location: index.php");
  } else {
    echo "Error: " . $stmt->error;
  }
?>

In the code snippet above, a prepared statement is used with a parameterized query to ensure that user input is properly sanitized before being used in the SQL query.

Conclusion

Understanding and mitigating security vulnerabilities like CVE-2023-43144 is crucial for developers and organizations to maintain the integrity, confidentiality, and availability of their assets and systems. By implementing proper input validation and sanitation techniques, such as prepared statements with parameterized queries, developers can significantly reduce the risk of SQL injection attacks.

Original references

- Projectworlds Assets Management System in PHP 1.
- CVE-2023-43144 - National Vulnerability Database (NVD)

Timeline

Published on: 09/22/2023 15:15:12 UTC
Last modified on: 09/25/2023 16:45:30 UTC