Railway Reservation System v1.0 - Multiple Unauthenticated SQL Injections (SQLi)

Vulnerability

Railway Reservation System version 1.0 by Projectworlds Pvt. Limited is vulnerable to an unauthenticated SQL injection in the train.php resource. The byname parameter does not validate or sanitize user-supplied input, and it is sent unfiltered to the database. This flaw exists in the publicly accessible train.php script, requiring no prior authentication. The vulnerability is tracked as CVE-2023-48689 [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the train.php endpoint with malicious SQL payloads in the byname parameter. No authentication is required, and the attack can be executed remotely over the network. The attacker simply appends SQL injection syntax to the parameter value, and the application directly concatenates it into the database query without sanitization [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL commands on the backend database. This can lead to full data exfiltration (information disclosure), modification of database records, and, depending on database privileges, potentially operating system command execution. The CVSS v3.1 score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2023-12-21), the vendor has not released a patched version for Railway Reservation System v1.0. Users should apply input validation and parameterized queries to all user-controllable parameters in train.php and other affected endpoints. If the software is no longer maintained, consider replacing it with a supported alternative or implementing a web application firewall (WAF) to filter SQL injection attempts [1].