CVE-2024-40072

Vulnerability

A SQL injection vulnerability exists in Sourcecodester Online ID Generator System version 1.0. The issue resides in id_generator/admin/generate/index.php, where the GET parameter id is directly concatenated into a SQL query without sanitization or prepared statements. The vulnerable code snippet is $qry = $conn->query("SELECT * FROM generated_id where id = '{$_GET['id']}'");. This allows an attacker to inject arbitrary SQL commands via the id parameter at the URL /admin/?page=generate/index&id=1. The application was tested on Windows 10 with Apache and PHP 7.0 [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable URL. The proof of concept demonstrates that supplying 1' and '1'='1 as the id value causes the page to display normally, while 1' and '1'='2 results in a different response, confirming the SQL injection [1]. Automated tools like sqlmap can be used to enumerate the database. No authentication is apparently required, as the vulnerable page is accessible without a valid session (though the reference includes a cookie for testing). The attacker only needs network access to the web server.

Impact

Successful exploitation allows an attacker to read, modify, or delete arbitrary data from the underlying MySQL database. Depending on database permissions, the attacker could extract sensitive information such as user credentials (the admin panel uses hardcoded credentials admin/admin123 [1]) or potentially achieve code execution via INTO OUTFILE or other advanced techniques. The impact includes complete compromise of database confidentiality, integrity, and availability.

Mitigation

As of the publication date (2025-04-16), no official patch or fixed version has been released by Sourcecodester. The recommendation is to implement input validation or use prepared statements with parameterized queries for the id parameter. The application vendor has not provided a security update. Users should consider disabling the affected feature or applying a Web Application Firewall (WAF) rule to block SQL injection patterns.