CVE-2024-25310

Vulnerability

Simple School Management System version 1.0, developed by Code Projects, contains a SQL injection vulnerability in the delete.php script. The id parameter is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands. The vulnerable endpoint is accessible at School/delete.php?id=5 after authentication. The application is written in PHP and uses a MySQL database. [1]

Exploitation

An attacker must first authenticate to the application. After logging in, they navigate to the class management section and click the delete-class button. The resulting HTTP GET request to School/delete.php?id=5 can be captured using a proxy like Burp Suite. The attacker then uses a tool such as sqlmap with the -p id parameter and appropriate options (e.g., --risk 3 --level 5 --dbms mysql) to exploit the blind SQL injection. The proof of concept demonstrates boolean-based blind injection. [1]

Impact

Successful exploitation allows an attacker to extract sensitive data from the database, including user credentials, personal information, and other application data. The attacker can also modify or delete records, potentially leading to data integrity loss or denial of service. The impact is limited to the database layer; however, depending on database privileges, further compromise of the underlying system may be possible. [1]

Mitigation

As of the publication date (2024-02-09), no official patch or updated version has been released by the vendor. The application appears to be unmaintained. Mitigation requires manual code review and implementation of prepared statements or parameterized queries for all database interactions. Input validation and escaping of the id parameter should be enforced. Until a fix is applied, administrators should restrict access to the application and monitor for suspicious activity. [1]