CVE-2019-25473

Vulnerability

Overview

Clinic Pro, a PHP Codeigniter-based clinic management system, contains a SQL injection vulnerability in the monthly_expense_overview endpoint. The month POST parameter is not properly sanitized, allowing an authenticated attacker to inject arbitrary SQL code. The vulnerability can be exploited using boolean-based blind, time-based blind, or error-based SQL injection techniques [1][2].

Exploitation

An attacker must first authenticate to the application. Then, by sending a crafted POST request to /welcome/monthly_expense_overview with a malicious month value, they can manipulate the underlying SQL query. The provided proof-of-concept demonstrates injection via RLIKE for boolean-based blind, BENCHMARK for time-based blind, and EXTRACTVALUE for error-based SQL injection [1].

Impact

Impact

Successful exploitation allows the attacker to extract sensitive information from the database, including patient records, financial data, and other confidential information stored by the clinic. The attacker can enumerate the database schema and retrieve arbitrary data [2].

Mitigation

As of the advisory publication date (March 2019), no patch has been confirmed. Users should apply input validation and parameterized queries to the month parameter, or restrict access to the vulnerable endpoint. The vendor homepage is softwebinternational.com [1].