CVE-2023-31844

Vulnerability

The Faculty Evaluation System v1.0 by oretnom23, as distributed on Sourcecodester, is vulnerable to SQL injection in the /eval/admin/manage_subject.php endpoint. The id parameter is directly concatenated into an SQL query without sanitization. An authenticated administrator can exploit this to inject malicious SQL payloads. The vulnerable file is manage_subject.php and the injection occurs through the id GET parameter. The application is built using XAMPP with PHP 8.1. The database name is evaluation_db [1].

Exploitation

An attacker must first authenticate as an administrator (default credentials: admin@admin.com/admin123). Once logged in, the attacker can send a crafted GET request to /eval/admin/manage_subject.php?id= with a malicious SQL payload. For example, id=2%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ triggers an error-based blind SQL injection that leaks database information. The attack does not require any user interaction beyond the authentication step [1].

Impact

Successful exploitation allows the attacker to retrieve sensitive data from the database, including but not limited to user credentials, faculty records, and other stored information. The injection is confirmed to extract the database name via error-based techniques, but more extensive data extraction is possible. This compromises the confidentiality of the application’s data and could lead to further privilege escalation if credentials are stolen [1].

Mitigation

As of the publication date (2023-05-15), no official patch has been released by Sourcecodester or the vendor oretnom23. The project may be abandoned or unsupported. Users should apply input validation and parameterized queries to the id parameter in manage_subject.php. Since the vulnerability requires authentication, administrators should use strong, unique passwords and limit access. If the system is not actively maintained, consider migrating to an alternative solution [1].