Headline

CVE-2021-40908: CVE-nu11secur1ty/vendors/oretnom23/CVE-nu11-09 at main · nu11secur1ty/CVE-nu11secur1ty

SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter.

2 years ago

CVE

Open in Source

#sql #vulnerability #js #git

CVE-nu11-09

Vendor****Vulnerability Description:

The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.

Vulnerability PHP code:

public function login(){
    extract($\_POST);

    $qry = $this\->conn\->query("SELECT \* from users where username = '$username' and password = md5('$password') ");
    if($qry\->num\_rows > 0){
        foreach($qry\->fetch\_array() as $k => $v){
            if(!is\_numeric($k) && $k != 'password'){
                $this\->settings\->set\_userdata($k,$v);
            }

        }
        $this\->settings\->set\_userdata('login\_type',1);
    return json\_encode(array('status'\=>'success'));
    }else{
    return json\_encode(array('status'\=>'incorrect','last\_qry'\=>"SELECT \* from users where username = '$username' and password = md5('$password') "));
    }
}

Responding from the hacked target: