itsourcecode Electronic Judging System login.php sql injection

Vulnerability

A SQL injection vulnerability exists in the Electronic Judging System version 1.0, specifically in the /intrams/admin/login.php file. The issue arises because the Username parameter is directly concatenated into SQL queries without proper sanitization or validation [2]. This allows an attacker to inject arbitrary SQL commands through the login form. The software vendor homepage and affected zip file are available at the itsourcecode.com domain [1][2].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication or any special privileges [2]. The attack is performed by sending a crafted POST request to the login endpoint with a malicious payload in the username parameter. A proof-of-concept payload example is: username=12345' AND (SELECT 4355 FROM (SELECT(SLEEP(5)))iVdz) AND 'WAPG'='WAPG&password=12345, which demonstrates time-based blind SQL injection [2]. The exploit has been publicly disclosed and may be used by attackers [CVE description].

Impact

Successful exploitation enables an attacker to perform unauthorized operations on the database, including accessing sensitive data, modifying or deleting records, and potentially gaining complete control of the system. This can lead to data leakage, data tampering, and service disruption, posing a serious threat to the confidentiality, integrity, and availability of the application and its data [2].

Mitigation

As of the publication date, no official patch or fixed version has been released by itsourcecode for the Electronic Judging System 1.0 [1][2]. The vendor has not provided a security update or workaround. Users should consider removing the vulnerable component from production environments or implementing Web Application Firewall (WAF) rules to block SQL injection patterns until a patch is made available. The software is available via a zip file from the vendor's site, and users should monitor itsourcecode.com for any future updates [1].