CVE-2022-41440

Vulnerability

Billing System Project v1.0, a PHP-based billing system, contains a SQL injection vulnerability in the /phpinventory/editcategory.php script. The id parameter is directly concatenated into a SQL query without sanitization, as confirmed by the vendor reference [1]. The vulnerability exists in versions as available from SourceCodester (version v1.0) and can be reached by any authenticated user with Super Admin credentials (e.g., mayurik/rootadmin) [1].

Exploitation

An attacker must first authenticate with a valid Super Admin account [1]. Once logged in, they can craft a GET request to /phpinventory/editcategory.php with a malicious id parameter. The provided proof-of-concept payload -1' union select 1,database(),3,4--+ demonstrates how to retrieve the database name [1]. The attack requires no additional privileges beyond the initial authentication and can be executed over HTTP.

Impact

Successful exploitation allows the attacker to perform SQL injection, leading to unauthorized disclosure of the database contents. The example payload retrieves the database name (store1), but more complex queries could extract user credentials, billing records, or other sensitive information stored in the underlying MySQL database [1]. The attacker gains read access to all data accessible to the application's database user.

Mitigation

No official patch has been released for CVE-2022-41440 as of the publication date [1]. Users should sanitize the id parameter using prepared statements or parameterized queries. Until a fix is available, restricting network access to the application and ensuring database accounts have minimal privileges are recommended temporary workarounds [1].