| عنوان | SOURCECODESTER Employee Task Management System 1.0 / task-details.php task_id SQL Injection |
|---|
| الوصف | Employee Task Management System task-details.php page parameter task_id is vulnerable to SQL Injection. This parameter is accessible by low-privilege users, where that user could be able to get full system access.
Vendor Homepage:
https://www.sourcecodester.com
Software Link:
Employee Task Management System (https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html)
Version:
v 1.0
Description:
The employee task management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below
- Admin user has full access to the system
- Employee user has only a few menu access i.s. Task Management (view and edit only assigned tasks) and Attendance (clock In and out)
So, if the admin assigns a task to a normal employee, an employee could perform the SQL Injection by viewing that task from his/her profile. Therefore, low-privileged users could able to get the access full system.
Affected Page:
task-details.php
On this page, task_id parameter is vulnerable to SQL Injection Attack
Proof of Concept:
The following steps are involved:
- Admin assigned a task to an employee (ABC)
- ABC employee views the task and could perform the SQL injection with vulnerable parameter (task-details.php?task_id=765)
URL : /etms/task-details.php?task_id=765%27+and+false+union+select+1,version(),3,database(),user(),6,7,8--+-
Recommendation:
Whoever uses this CMS, should update line no (from 27 to 30) of task-details.php with the following code to avoid SQL Injection attack:
Old Code:
$sql = "SELECT a.*, b.fullname
FROM task_info a
LEFT JOIN tbl_admin b ON(a.t_user_id = b.user_id)
WHERE task_id='$task_id'";
$info = $obj_admin->manage_all_info($sql);
New Code:
$sql = $obj_admin->db->prepare("SELECT a.*, b.fullname FROM task_info a LEFT JOIN tbl_admin b ON(a.t_user_id = b.user_id) WHERE task_id=:task_id ");
$sql->bindparam(':task_id', $task_id);
$sql->execute();
$row = $sql->fetch(PDO::FETCH_ASSOC); |
|---|
| المصدر | ⚠️ https://github.com/navaidzansari/CVE_Demo/blob/main/2023/Employee%20Task%20Management%20System%20-%20SQL%20Injection%20-%202.md |
|---|
| المستخدم | navaidansari (UID 41266) |
|---|
| ارسال | 17/02/2023 09:14 PM (3 سنوات منذ) |
|---|
| الاعتدال | 18/02/2023 08:37 AM (11 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 221453 [SourceCodester Employee Task Management System 1.0 task-details.php task_id حقن SQL] |
|---|
| النقاط | 20 |
|---|