CVE-2022-43212

Vulnerability

Billing System Project v1.0, a PHP-based application for managing invoices and billing, contains a SQL injection vulnerability in the fetchOrderData.php script. The orderId parameter is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands. The vulnerability is present in the version available from SourceCodester [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET or POST request to fetchOrderData.php with a malicious orderId parameter. The attacker does not require any prior authentication or special privileges. The injection can be performed using standard SQL injection techniques, such as appending a single quote or using UNION-based payloads to extract data [2].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the underlying MySQL database. This can lead to unauthorized disclosure of sensitive data, including user credentials, customer information, and billing records. In some configurations, the attacker may also be able to modify or delete data, potentially compromising the integrity and availability of the application.

Mitigation

As of the publication date (2022-11-22), no official patch or updated version has been released by the vendor. The project appears to be unmaintained. Mitigation requires manual code review and remediation: developers should replace all dynamic SQL queries with parameterized prepared statements or use an ORM that handles input sanitization. Input validation and escaping of the orderId parameter should also be implemented. Until a fix is applied, it is recommended to restrict network access to the application or disable the vulnerable endpoint if possible.