Security researchers have identified a critical SQL injection vulnerability in the Campcodes Complete Web-Based School Management System 1.. In particular, the vulnerability exists in the /model/update_subject.php file due to improper validation of user input in the name parameter. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the vulnerable system, leading to unauthorized access to sensitive data, manipulation of data, and even total system compromise.

Exploit Details

CVE-2024-34931 affects the Campcodes Complete Web-Based School Management System 1., which is a popular software solution for managing educational institutions. The flaw is specifically present in the /model/update_subject.php file that handles updating the subjects in the system. An attacker can submit specially crafted data via the name parameter, which can lead to a successful SQL injection attack.

Here is a code snippet of the vulnerable code in /model/update_subject.php

<?php
// [...]
$name = $_POST['name'];
$id = $_POST['id'];

$update_subject = "UPDATE tbl_subjects SET name='$name' WHERE id='$id'";

if (mysqli_query($conn, $update_subject)) {
    // [...]
} else {
    // [...]
}
?>

In this code, the $name and $id variables are assigned user-supplied input without proper validation or sanitization. Consequently, an attacker could submit crafted data to potentially compromise the entire system.

Proof of Concept

The attacker can exploit this vulnerability by sending a POST request to the /model/update_subject.php file with a specially crafted name parameter containing an SQL injection payload. Here is an example of such a payload:

POST /model/update_subject.php HTTP/1.1
Host: vulnerable_host
Content-Type: application/x-www-form-urlencoded
Content-Length: [length]

name=' OR '1'='1&id=1

In this example, the SQL injection payload is ' OR '1'='1, which would cause the backend SQL query to return true for all records, potentially allowing the attacker to access and manipulate data they are not authorized to access.

Mitigation

To mitigate this vulnerability, it is essential to employ proper input validation and sanitization techniques before processing user-supplied data. For instance, the PHP mysqli_real_escape_string() function can be used to escape special characters in a string for use in an SQL statement, effectively preventing SQL injection attacks. To implement this, the vulnerable code in /model/update_subject.php should be changed as follows:

<?php
// [...]
$name = mysqli_real_escape_string($conn, $_POST['name']);
$id = mysqli_real_escape_string($conn, $_POST['id']);

$update_subject = "UPDATE tbl_subjects SET name='$name' WHERE id='$id'";

if (mysqli_query($conn, $update_subject)) {
    // [...]
} else {
    // [...]
}
?>

Additionally, it is highly recommended to use prepared statements and parameterized queries to further reduce the risk of SQL injection attacks.

References

- Campcodes Complete Web-Based School Management System: https://www.campcodes.com/complete-web-based-school-management-system/
- CVE-2024-34931 - NIST National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-34931
- SQL Injection Prevention Cheat Sheet - OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Conclusion

In summary, the CVE-2024-34931 vulnerability presents a significant risk to organizations using the Campcodes Complete Web-Based School Management System 1.. Affected users should apply the recommended input validation and sanitization techniques promptly to prevent potential attacks exploiting this vulnerability. Further, staying informed about security best practices and being proactive in updating or patching vulnerable systems will help maintain a secure environment for users.

Timeline

Published on: 05/23/2024 17:15:29 UTC
Last modified on: 05/24/2024 01:15:30 UTC