CVE-2023-31842

Vulnerability

Sourcecodester Faculty Evaluation System v1.0 (as available from Sourcecodester) is vulnerable to SQL injection in the /eval/index.php?page=edit_faculty&id= endpoint. The id parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL queries. The vulnerability can be triggered without authentication, as demonstrated by sending a crafted GET request with a malicious id value [1].

Exploitation

An attacker can exploit this by sending a GET request to /eval/index.php?page=edit_faculty with a crafted id parameter. For example, the payload ?page=edit_faculty&id=-1%20union%20select%201,database(),3,4,5,6,7,8--+ causes the application to return the database name (evaluation_db) in the response [1]. No authentication is required; the attack can be performed over HTTP by any remote attacker. The public proof-of-concept includes a full HTTP request with headers and session cookies [1].

Impact

Successful exploitation allows an attacker to extract sensitive data from the underlying MySQL database, such as user credentials or other tables. The proof-of-concept shows extraction of the database name [1], but with further crafted payloads the attacker could enumerate tables, columns, and data, leading to complete disclosure of the database contents.

Mitigation

As of the publication date (2023-05-15), no official patch or updated version has been released by Sourcecodester. Users should sanitize input to the id parameter, use prepared statements, and restrict database permissions. If the application is in use, it should be isolated from untrusted networks until a fix is available [1].