CVE-2023-33677

Vulnerability

The Lost and Found Information System version 1.0 from Sourcecodester is vulnerable to unauthenticated SQL injection in the ?page=items/view&id=* endpoint. The id parameter is directly concatenated into SQL queries without sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands. No authentication is required to reach this code path [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable URL, appending malicious SQL payloads to the id parameter. Since the application does not require authentication, any remote attacker can perform this attack. Typical SQL injection techniques such as UNION-based or error-based injection can be used to extract data [1].

Impact

Successful exploitation allows an attacker to read, modify, or delete arbitrary data from the underlying database. This can lead to disclosure of sensitive information, including user credentials, personal data, and system configuration. In some cases, the attacker may escalate to full database compromise or gain administrative access to the application [1].

Mitigation

As of the publication date (2024-03-06), no official patch or updated version has been released by Sourcecodester. Users are advised to implement input validation and use parameterized queries (prepared statements) to mitigate the risk. Until a fix is available, restricting network access to the application or deploying a web application firewall (WAF) may reduce exposure [1].