CVE-2024-40068

Vulnerability

The application directly uses the id GET parameter without any sanitization or parameterized queries in /id_generator/admin/templates/manage_template.php. The vulnerable code is:

if(isset($_GET['id']) && $_GET['id'] > 0){
    $user = $conn->query("SELECT * FROM `id_format` where id ='{$_GET['id']}'");
    foreach($user->fetch_array() as $k =>$v){
        $$k = $v;
    }
}

The id parameter is concatenated directly into the SQL query string, allowing an attacker to break out of the intended SQL statement. The vulnerability affects Online ID Generator System V1.0, as referenced in [1]. The web application runs on Apache+PHP7.0 (or similar) with MySQL.

Exploitation

An attacker needs to be an authenticated admin user (default credentials admin/admin123; also requires a valid session cookie) and have access to the URL http://localhost/id_generator/admin/?page=templates/manage_template&id=1. By crafting the id parameter with SQL injection payloads (e.g., 1' and '1'='1), the attacker can observe different page responses when the condition is true versus false, confirming boolean-based blind SQL injection [1]. An automated tool like sqlmap can then be used to extract data, such as the current database name, using the id parameter with a valid session cookie.

Impact

Successful exploitation allows an authenticated attacker to retrieve arbitrary data from the database, potentially including other users' credentials, ID format templates, and other sensitive information. The injection is blind (boolean-based), but an attacker can enumerate tables, columns, and records. This can lead to a compromise of the entire application's data confidentiality. No code execution is directly described, but the attacker can dump the database contents and possibly elevate privileges using stolen admin credentials.

Mitigation

No official patch or updated version has been released by the vendor as of the publication date. As a workaround, developers should replace the direct concatenation with parameterized queries (prepared statements) in manage_template.php and other similar files. The input id must be validated as an integer and never embedded directly into SQL. If no fix is applied, the application remains vulnerable. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.