A critical vulnerability has been discovered in the Code-Projects Library System 1., which puts user information and the functionality of the system at risk. This vulnerability, identified as CVE-2024-1829, affects the unknown functionality of the file Source/librarian/user/student/registration.php. The manipulation of arguments like email, registration number, phone, and username leads to a SQL injection attack, which can be launched remotely. The public release of this exploit has made it accessible for potential attackers.

Exploit Details

The vulnerability lies in the registration.php file where the user input is not checked properly, and as a result, SQL injection can be executed. By exploiting this vulnerability, an attacker could potentially compromise the entire Library system and gain unauthorized access to sensitive user information.

An example of the code snippet with the vulnerability

// Source/librarian/user/student/registration.php
<?php
   // ...
   $email = $_POST['email'];
   $regno = $_POST['regno'];
   $phone = $_POST['phone'];
   $username = $_POST['username'];
   // ...
   $sql = "INSERT INTO students (email, regno, phone, username) VALUES ('$email', '$regno', '$phone', '$username')";
   // ...
?>

In the snippet above, user inputs are directly passed to the SQL query without proper validation or sanitization, leading to the SQL injection vulnerability.

To mitigate this issue, it is essential to use prepared statements or parameterized queries to prevent SQL injection. Here is a recommendation to fix the code:

// Source/librarian/user/student/registration.php
<?php
   // ...
   $email = $_POST['email'];
   $regno = $_POST['regno'];
   $phone = $_POST['phone'];
   $username = $_POST['username'];
   // ...
   $stmt = $conn->prepare("INSERT INTO students (email, regno, phone, username) VALUES (?, ?, ?, ?)");
   $stmt->bind_param("ssss", $email, $regno, $phone, $username);
   $stmt->execute();
   // ...
?>

Original References

This vulnerability was initially reported to the public through various security organizations, with detailed explanations and information provided. Below are some of the original references to review for further insights and details:

1. NVD - National Vulnerability Database
2. Vulnerability Database (VDB-254617)

Conclusion

It is highly recommended that users of the Code-Projects Library System 1. promptly update their system to the latest version to ensure the vulnerability is addressed and security is maintained. Regular auditing of the code and keeping up to date with security patches will help to reduce the risk of potential attacks.

Timeline

Published on: 02/23/2024 18:15:50 UTC
Last modified on: 03/21/2024 02:51:46 UTC