CVE-2024-28816

Root

Cause The login function in index.php directly embeds the user-supplied username parameter into an SQL statement before calling prepare(), allowing SQL injection. The vulnerable code constructs the query as SELECT * FROM users WHERE username='$username' AND password='$password', which is then passed to prepare() and execute(). This improper handling enables an attacker to inject arbitrary SQL commands via the username field [1].

Exploitation

The vulnerability requires no authentication. An attacker can send a POST request with a malicious payload such as ' or 1=1 # in the username parameter to bypass authentication and log in as any user. Additionally, boolean-based blind injection is possible, which can extract sensitive data from the database. The attack vector is simple and does not rely on any special privileges [1].

Impact

Successful exploitation can lead to full compromise of the database, including unauthorized access to all user data, modification or deletion of records, and potential further vertical escalation within the application. The confidentiality, integrity, and availability of the data are at high risk [1].

Mitigation

The vendor has provided a fix via a pull request that changes the code to use parameterized queries: SELECT * FROM users WHERE username=? AND password=? with $stmt->execute([$username, $password]). Users are advised to apply this patch or upgrade to the latest version to prevent SQL injection. No workaround is available beyond applying the fix [1].