CVE CyberSecurity Database News

CVE-2023-5281: Critical Vulnerability Found in SourceCodester Engineers Online Portal 1.

Poster -

A critical vulnerability (CVE-2023-5281) has recently been detected in SourceCodester Engineers Online Portal 1.. This vulnerability has been rated as critical, and it affects an unknown part of the file remove_inbox_message.php. The attacker can exploit this vulnerability through remote manipulation of the argument id, leading to SQL injection.

Exploit Details

To begin with, the attacker could manipulate the "id" argument in remove_inbox_message.php to inject malicious SQL code. This enables the attacker to access, modify or delete data in the platform's database without proper authorization. The public disclosure of the exploit contributed to the possibility of malicious hackers using it to exploit the vulnerability.

The identifier VDB-240909 was assigned to this vulnerability. It is crucial for developers and system administrators who use SourceCodester Engineers Online Portal 1. to implement security patches and address the issue as swiftly as possible.

The vulnerable portion of the file remove_inbox_message.php can be seen below

<?php
$Host="localhost";
$User="xxxx";
$Pwd="xxxx";
$Base="xxxx";
$DB = mysqli_connect($Host,$User,$Pwd,$Base);

$id = $_GET["id"];

$query_1="DELETE FROM engineeronline_inbox WHERE id=$id"; \\ ISSUE: No proper sanitization of the $id input
$result=mysqli_query($DB,$query_1) or die(mysqli_error());

header("Location: messages_in.php");
exit;
?>

Here, the $id input obtained from the user is not adequately sanitized before being used in the SQL query. This may enable attackers to inject arbitrary SQL code into the query, resulting in unintended behavior and unauthorized access to the database.

Original References

You can find the original disclosure of this vulnerability along with other useful information from the following sources:

1. https://www.exploit-db.com/exploits/240909
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5281
3. https://nvd.nist.gov/vuln/detail/CVE-2023-5281

Mitigation Recommendations

To safeguard against this SQL injection vulnerability, the developers of SourceCodester Engineers Online Portal 1. should address the issue by properly sanitizing and validating user inputs.

Specifically, the $id input must be sanitized using functions like mysqli_real_escape_string() before being passed into the SQL query. Additionally, implementing prepared statements to execute SQL queries will significantly reduce the risks associated with SQL injection.

Moreover, system administrators using the platform should ensure they install any security updates released by the developers. Regularly monitoring security sources and following the best security practices will help minimize the chances of getting caught off guard by new vulnerabilities.

Conclusion

The critical vulnerability CVE-2023-5281 discovered in SourceCodester Engineers Online Portal 1. could have severe implications for users of the platform. By exploiting this vulnerability through SQL injection, attackers can potentially gain unauthorized access to sensitive data. Developers and system administrators must act promptly to address this security issue and ensure that the platform remains secure.

Timeline

Published on: 09/29/2023 19:15:09 UTC
Last modified on: 11/07/2023 04:23:46 UTC