CVE-2022-29981

Vulnerability

Simple Client Management System version 1.0 contains a SQL injection vulnerability in the /cms/classes/Users.php?f=delete endpoint. The id parameter is directly concatenated into SQL queries without proper sanitization, allowing an attacker to inject arbitrary SQL statements. The vulnerability is reachable via a POST request to the endpoint, as demonstrated in the proof-of-concept [1].

Exploitation

An attacker with network access to the application can exploit this vulnerability by sending a crafted POST request to /cms/classes/Users.php?f=delete with a malicious id parameter. The reference shows a payload such as id=11' and length(database()) =6 --+ to perform boolean-based blind SQL injection. The attacker can infer database information by observing differences in response length (e.g., Content-Length varies based on condition truth) [1]. No authentication is explicitly required, but the provided request includes a session cookie, suggesting the endpoint may be intended for authenticated users.

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, such as the database name (cms_db) and its length. This can be escalated to retrieve other data, including user credentials or application secrets, potentially leading to full compromise of the application and its data [1].

Mitigation

As of the publication date (2022-05-12), no official patch or updated version has been released by the vendor (oretnom23 via SourceCodester). The application remains vulnerable. Users should apply input validation and parameterized queries to the id parameter in /cms/classes/Users.php as a workaround. Until a fix is available, restrict network access to the application and monitor for suspicious requests [1].