A new vulnerability (CVE-2024-35359) has been discovered in Diño Physics School Assistant version 2.3. This vulnerability has the potential to impact the security of an unknown code in the file /classes/Master.php?f=view_item, potentially allowing malicious users to manipulate the 'id' argument, resulting in possible SQL injection attacks. In this long read post, we will cover the details of the vulnerability, sample code snippets to illustrate the issue, links to relevant original references, and further information on exploiting the vulnerability.
Vulnerability Details
CVE Identifier: CVE-2024-35359
Software: Diño Physics School Assistant version 2.3
Affected File: /classes/Master.php?f=view_item
Impact: SQL Injection
Vector: Manipulating the 'id' argument
CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command - 'SQL Injection')
The vulnerability exists within the Master.php file in the following code block
class Master {
public function view_item($id) {
$query = "SELECT * FROM items WHERE id={$id}";
$result = mysql_query($query);
return $result;
}
}
The problem with this code snippet is that it does not properly sanitize the user-provided data ('$id') before using it in the SQL query. This makes it susceptible to SQL injection attacks.
Exploit Details
An attacker can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter when making requests to the vulnerable script. For example:
GET /classes/Master.php?f=view_item&id=1 UNION SELECT 1,2,3,4,(SELECT @@version),6,7,8--
This request would execute the injected SQL query and returns the current version of the MySQL database server.
Links to Original References
1. Diño Physics School Assistant Homepage
2. CVE Details and Description
3. Common Vulnerabilities and Exposures (CVE®)
4. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Mitigation Steps
To prevent this vulnerability, developers should follow secure coding practices, such as validating and sanitizing user-provided input before using it in SQL queries. This can include:
- Using prepared statements or parameterized queries, which separates user data from the SQL query structure, effectively preventing SQL injection attacks.
- Strictly validating and sanitizing user input, allowing only the expected values or character ranges.
To fix the existing vulnerability in Diño Physics School Assistant, the developers should replace the vulnerable code section in Master.php with a more secure implementation using prepared statements:
class Master {
public function view_item($id) {
$stmt = $this->mysqli->prepare("SELECT * FROM items WHERE id=?");
$stmt->bind_param('i', $id);
$stmt->execute();
$result = $stmt->get_result();
return $result;
}
}
Conclusion
The CVE-2024-35359 vulnerability discovered in Diño Physics School Assistant version 2.3 poses a significant security risk due to its potential for SQL injection attacks. Developers should take immediate steps to mitigate and resolve the vulnerability, while also keeping in mind the best practices for secure coding. Stay aware of the latest vulnerabilities and follow the recommended guidelines to keep your applications safe and secure.
Timeline
Published on: 05/30/2024 17:15:34 UTC
Last modified on: 08/19/2024 15:35:07 UTC