CVE-2023-33439

Vulnerability

Sourcecodester Faculty Evaluation System v1.0 contains a SQL injection vulnerability in /eval/admin/manage_task.php?id=. The id parameter is directly concatenated into an SQL query without sanitization: $qry = $conn->query("SELECT * FROM task_list where id = ".$_GET['id'])->fetch_array();. This allows an authenticated admin user to inject arbitrary SQL commands. The vulnerability affects version v1.0 as provided by Sourcecodester [1].

Exploitation

An attacker must have valid admin credentials (e.g., admin@admin.com/admin123). By sending a crafted GET request to /eval/admin/manage_task.php with a malicious id parameter, such as 1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+, the server returns error messages containing the extracted database information (e.g., database name). The SQL injection is error-based and does not require additional user interaction [1].

Impact

Successful exploitation enables an authenticated attacker to extract sensitive data from the database, including database names, table structures, and potentially user credentials. This can lead to complete disclosure of the underlying database contents, compromising confidentiality and potentially enabling further attacks [1].

Mitigation

As of the publication date (2023-05-26), no official patch or workaround has been released by the vendor. The software may be end-of-life. Users are advised to restrict admin panel access to trusted networks or migrate to a secure alternative [1].