CVE-2018-18803

Vulnerability

Curriculum Evaluation System version 1.0 contains two SQL injection vulnerabilities. The login function in includes/user.vb directly concatenates user-supplied username and password parameters into a SQL query without sanitization [1]. The search function in frmCourse.vb similarly concatenates the txtSearch.Text value into a LIKE query [1]. Both allow an attacker to inject arbitrary SQL commands.

Exploitation

An attacker can exploit the login injection by submitting a crafted username such as 'or 1=1 or ''=' with any password, bypassing authentication [1]. The search injection can be triggered by entering malicious SQL in the search textbox. The provided proof-of-concept demonstrates extracting the database version and current database name using a UNION-based injection [1]. No authentication is required for either attack vector.

Impact

Successful exploitation allows an attacker to bypass authentication and gain administrative access to the application. Additionally, the attacker can extract arbitrary data from the database, including user account details and course information. This could lead to full compromise of the application's data and functionality.

Mitigation

No official patch or updated version has been released by the vendor (SourceCodester) as of the publication date [1]. The application appears to be end-of-life. Mitigation requires manual code fixes: replace all dynamic SQL with parameterized queries or prepared statements. Input validation and escaping should be applied to all user-supplied data. Until such fixes are implemented, the application should not be exposed to untrusted networks.