CVE-2022-30528

Vulnerability

A SQL injection vulnerability exists in the ISIC tour booking application as published on February 13th, 2018, in the /system/user/modules/mod_users/controller.php file. The selectByUsername() function in helper.php directly concatenates the user-supplied username parameter into a SQL query without sanitization, allowing injection of arbitrary SQL [1][2]. The vulnerable parameter is username during the login process (action=doLogin). The application versions are affected up to the commit on that date.

Exploitation

An attacker with network access to the application can exploit this by sending a POST request to the controller with action=doLogin and a crafted username parameter. For example, using a UNION-based injection like admin' union select 1,2,3,4,5,6,'0192023a7bbd73250516f069df18b500',8,9 limit 1,1# allows the attacker to set the password hash to a known value (MD5 of 'admin123') and bypass authentication [2]. The attacker must also know (or guess) the number of columns in the user table. Additional steps in the full attack chain include exploiting information disclosure to obtain the admin username and later uploading a webshell via file upload [2].

Impact

Successful exploitation allows the attacker to bypass authentication and log in as any user (typically admin) without knowing the correct password. This can lead to complete compromise of the application, as the attacker can then upload a webshell and achieve remote code execution (RCE) on the server [2]. The impact includes information disclosure, unauthorized administrative access, and full system takeover.

Mitigation

No official fix has been released for this vulnerability; the affected version is from Feb 13th, 2018, and the repository appears unmaintained [1][2]. As a workaround, input validation and parameterized queries should be implemented for the username parameter in the login logic. Until a patch is applied, the application remains vulnerable.