Title | SOURCECODESTER Employee Task Management System 1.0 / edit-task.php task_id SQL Injection |
---|
Description | Low-privilege authenticated SQL Injection Vulnerability found in Employee Task Management System v 1.0.
Vendor Homepage:
https://www.sourcecodester.com
Software Link:
Employee Task Management System (https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html)
Version:
v 1.0
Details of the Issue:
The employee task management system supports two roles of users, one is admin, and another is the normal employee. The detail of the roles are given below:
- Admin user has full access to the system.
- Employee user has only a few menu access i.e. Task Management (only assigned tasks) and Attendance (clock In and out).
So, if the admin assigns a task to a normal employee, an employee could perform the SQL Injection by editing that task from his/her profile. Therefore, low-privileged users could able to get the access full system.
Affected Page:
edit-task.php
On this page, the task_id parameter is vulnerable to SQL Injection Attack
Proof of Concept:
The following steps are involved:
1- Admin assigned a task to an employee (ABC)
2- ABC employee edit the task and could perform the SQL injection with vulnerable parameter (edit-task.php?task_id=765)
Following payload can be used to exploit the SQL injection on this page
URL: localhost/etms/edit-task.php?task_id=765%27+and+false+union+select+1,version(),3,database(),user(),6,7--+-
Recommendation:
Whoever uses this CMS, should update line no 27 of edit-task.php with the following code to avoid SQL Injection attack:
Old Code:
$sql = "SELECT * FROM task_info WHERE task_id='$task_id' ";
New Code:
$sql = $obj_admin->db->prepare("SELECT * FROM task_info WHERE task_id=:task_id ");
$sql->bindparam(':task_id', $task_id);
$sql->execute();
$row = $sql->fetch(PDO::FETCH_ASSOC); |
---|
Source | ⚠️ https://github.com/navaidzansari/CVE_Demo/blob/main/2023/Employee%20Task%20Management%20System%20-%20SQL%20Injection.md |
---|
User | navaidansari (ID 41266) |
---|
Submission | 2023-02-17 20:45 (1 Year ago) |
---|
Moderation | 2023-02-18 08:35 (12 hours later) |
---|
Status | Aceptado |
---|
VulDB Entry | 221452 |
---|