CVE-2021-45435

Vulnerability

An SQL injection vulnerability exists in the login.php file of Sourcecodester Simple Cold Storage Management System using PHP/OOP version 1.0. The username parameter is directly concatenated into a SQL query without sanitization or parameterization, as shown in the source code: $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password')"); [1]. This allows an attacker to inject arbitrary SQL commands. The vulnerability is reachable without authentication by accessing the admin login page at /csms/admin/login.php.

Exploitation

An attacker can exploit this vulnerability by submitting a crafted username value to the login form. For example, using the payload admin'-- terminates the string and comments out the remainder of the query, bypassing authentication [1]. More advanced techniques such as UNION-based SQL injection can be used to extract data from the database. No prior authentication or special privileges are required; only network access to the login page is needed.

Impact

Successful exploitation allows an attacker to bypass authentication and gain administrative access to the application. Additionally, the attacker can retrieve arbitrary data from the database, including user credentials and other sensitive information, leading to full compromise of the application and its data [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. Users should implement input validation and use prepared statements or parameterized queries to prevent SQL injection. The application may be end-of-life or unsupported; migrating to a secure alternative is recommended [1].