CVE-2022-43292

Vulnerability

Canteen Management System v1.0, built using PHP and available via SourceCodester, contains a SQL injection vulnerability in the id parameter of /youthappam/editfood.php [1]. The application does not properly sanitize user input before using it in a SQL query, allowing an authenticated attacker to inject arbitrary SQL commands [1]. The vulnerable parameter is id and the affected database is named youthappam [1]. The vendor-provided source code is available at https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html [1].

Exploitation

An attacker must be authenticated (a Super Admin account with credentials mayuri.infospace@gmail.com/rootadmin was used in the report) [1]. The exploit is performed by sending a GET request to /youthappam/editfood.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9--+ [1]. The injected payload uses a UNION SELECT to retrieve the database name from the database() function [1]. The attacker does not need any special privileges beyond the login, and the attack is straightforward as the parameter is directly injectable without complex encoding [1].

Impact

Successful exploitation allows the attacker to extract sensitive information from the database, such as the database name (youthappam), and potentially other data (e.g., user credentials, system tables) by modifying the UNION SELECT columns [1]. This can lead to disclosure of all data in the application's database, including user details and possibly administrative access if credentials are compromised [1]. The impact is information disclosure with a high confidentiality impact, as evidenced by the CVSS score indicating a high severity [1].

Mitigation

As of the publication date (2022-11-09), no official patch has been released for this vulnerability [1]. The application is from a third-party vendor (mayuri_k) and may no longer be actively maintained [1]. Users are advised to apply input validation and parameterized queries to fix the SQL injection, or consider migrating to a different, secure solution [1]. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of this writing [1].