CVE-2024-8147: Critical Vulnerability Found in Code-Projects Pharmacy Management System 1. - SQL Injection Exploit Over "id" Argument

A critical vulnerability has been found in the Code-Projects Pharmacy Management System (PMS) version 1.. This vulnerability affects the processing of the file "/index.php?action=editPharmacist" and might lead to SQL Injection through the manipulation of the argument "id". This exploit may be launched remotely, and since it has been disclosed to the public, there is a risk of it being used by cyber attackers.

Details

The vulnerability, identified as CVE-2024-8147, is an SQL injection vulnerability that stems from the lack of proper input validation and sanitization of user inputs. This allows the attacker to manipulate the "id" argument and inject malicious SQL queries into the back-end database, potentially leading to unauthorized access, data leakage, or even complete system compromise.

The vulnerable code snippet within the "index.php?action=editPharmacist" file can be seen below

$id = $_GET['id'];
$query = "SELECT * FROM pharmacist WHERE id = '$id'";
$result = mysqli_query($link, $query);

As you can see, the "id" parameter is taken directly from the user input without any proper input validation or sanitization processes. This can lead to SQL injection if an attacker provides a specifically crafted value.

Exploit

An attacker can exploit this vulnerability by sending a specially crafted request to the target application, containing malicious SQL queries within the "id" argument.

Example

GET /index.php?action=editPharmacist&id=' OR 1=1 --

By injecting the payload " ' OR 1=1 -- ", the attacker can bypass authentication and gain unauthorized access to restricted data and functionalities of the PMS.

Mitigation

To mitigate this vulnerability, developers of the Code-Projects Pharmacy Management System should implement proper input validation and sanitization measures to prevent the execution of malicious SQL queries within the context of the application. This can be done using methods such as prepared statements and parameterized queries.

1. Code-Projects Pharmacy Management System: https://www.code-projects.org/pharmacy-management-system/
2. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8147
3. National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-8147

Conclusion

CVE-2024-8147 is a critical vulnerability found in Code-Projects Pharmacy Management System 1. that allows attackers to remotely exploit an SQL injection vulnerability. This issue puts the confidentiality, integrity, and availability of sensitive data at risk. Developers and administrators should take immediate action to mitigate this vulnerability by implementing proper input validation and sanitization measures. Additionally, it is crucial to keep an eye on software patches and updates to maintain the highest level of security.

Timeline

Published on: 08/25/2024 09:15:04 UTC
Last modified on: 09/11/2024 18:37:20 UTC