CVE-2022-43215

Vulnerability

Billing System Project v1.0, a PHP-based application, contains a SQL injection vulnerability in the getOrderReport.php script. The endDate parameter is not properly sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL commands. The vulnerability is present in the version available from SourceCodester [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to getOrderReport.php with a malicious endDate parameter. No authentication is required as the script is accessible without login. The attacker can use SQL injection techniques such as UNION-based or time-based blind injection to extract data. Reference [2] provides a proof-of-concept demonstrating the injection.

Impact

Successful exploitation allows an attacker to read, modify, or delete arbitrary data in the underlying MySQL database. This can lead to disclosure of sensitive information such as user credentials, billing records, and other application data. The attacker may also be able to bypass authentication or gain administrative access depending on the database configuration.

Mitigation

As of the publication date (2022-11-22), no official patch has been released by the vendor. The project appears to be unmaintained. Users should apply input validation and parameterized queries to the endDate parameter in getOrderReport.php as a workaround. Alternatively, consider migrating to a supported billing system.