CVE-2021-47846

Vulnerability

Overview

Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability in its login functionality. The application fails to sanitize user-supplied input in the email and password parameters across four distinct login pages: police, incharge, user, and HQ. By injecting crafted payloads such as 'or''=', an attacker can manipulate the SQL query to always return a valid result, effectively bypassing authentication checks [1][3].

Exploitation

No authentication is required to reach any of the vulnerable login endpoints. An attacker can send a POST request to /digital-cyber-crime-report/policelogin.php, /inchargelogin.php, /userlogin.php, or the HQ equivalent with the malicious payload in both the email and password fields. The exploit is trivial to execute and does not require any special network position beyond HTTP access to the application [1].

Impact

Successful exploitation grants the attacker immediate access to the application as any user role (police, incharge, user, or HQ). This can lead to unauthorized viewing of crime reports, management of user records, and potential further compromise of the system's data and functionality [2][3].

Mitigation

As of the publication date, no official patch has been released. The vendor's website still offers the vulnerable version for download [2]. Users of this system should apply input validation and parameterized queries to all login endpoints, or discontinue use of the software until a fix is provided.