CVE-2022-30413

Vulnerability

Covid-19 Travel Pass Management System v1.0, developed by oretnom23 and available from SourceCodester, contains a SQL injection vulnerability in the /ctpms/classes/Master.php?f=delete_application endpoint [1]. The id parameter is not properly sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL code. The application is written in PHP and uses a MySQL backend. Affected version is v1.0, as noted in the vendor source [1].

Exploitation

The vulnerability is exploitable via a POST request to the vulnerable endpoint [1]. An attacker needs no authentication, as the vulnerable function is accessible without prior login. The attacker can simply send a crafted POST request with a malicious id parameter, such as id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ [1]. This payload exploits a blind SQL injection technique using updatexml to extract data. The attacker must have network access to the application instance.

Impact

Successful exploitation allows an attacker to read data from the database, including potentially other tables and credentials. The proof-of-concept shows extraction of the database name via error-based SQL injection [1]. This is a classic SQL injection leading to information disclosure. The attacker can potentially enumerate multiple values, compromising the confidentiality of the system.

Mitigation

No official patch or updated version has been released by the vendor as of the publication date [1]. The project appears to be orphaned or unmaintained. Users should consider rewriting the SQL query with parameterized statements or prepared statements, and validate and sanitize all user-supplied input. Until a fix is available, it is recommended to restrict network access to the application and monitor for suspicious requests.