Overview
CVE-2024-58276 details a critical SQL injection vulnerability found in Obi08/Enrollment System version 1.0. This flaw allows unauthenticated attackers to execute arbitrary SQL queries via the keyword parameter in the /get_subject.php endpoint. Exploitation can lead to the extraction of sensitive data, including usernames and passwords, from the application’s database.
Technical Details
The vulnerability stems from insufficient sanitization of user-supplied input in the keyword parameter of the /get_subject.php script. An attacker can inject malicious SQL code into this parameter, bypassing the intended query structure. The vulnerability is particularly severe because it can be exploited without requiring authentication.
The identified exploit utilizes UNION-based SQL injection. This allows the attacker to combine the results of their injected query with the original query, effectively extracting data from tables beyond what the original query intended to access. A typical exploit might involve injecting code similar to the following (URL-encoded for use in the HTTP request):
/get_subject.php?keyword=';%20UNION%20SELECT%20username,password%20FROM%20users;--
This crafted URL would attempt to retrieve the username and password fields from the users table.
CVSS Analysis
Unfortunately, the provided information lacks a CVSS score and severity. However, given the unauthenticated nature of the vulnerability and the potential for sensitive data exposure, it is highly likely to be rated as Critical if a formal CVSS score were assigned. The ease of exploitation and the direct compromise of user credentials warrant a high-severity assessment.
Possible Impact
The impact of this vulnerability is significant. Successful exploitation can lead to:
- Data Breach: Exposure of sensitive user data, including usernames and passwords.
- Account Takeover: Attackers can use compromised credentials to access user accounts.
- System Compromise: In some cases, SQL injection can be leveraged to gain control over the underlying database server or even the entire system.
- Reputational Damage: A data breach can severely damage the reputation of the organization using the vulnerable software.
Mitigation or Patch Steps
Currently, a patch for this vulnerability is not explicitly mentioned. However, immediate mitigation steps should be taken:
- Input Sanitization: Implement robust input validation and sanitization for all user-supplied data, especially in the
keywordparameter of/get_subject.php. Use parameterized queries or prepared statements to prevent SQL injection. - Web Application Firewall (WAF): Deploy a WAF with rules to detect and block SQL injection attempts.
- Disable Direct Database Access: Ensure that the web server account has minimal privileges to access the database.
- Code Review: Conduct a thorough code review of the application to identify and address other potential vulnerabilities.
- Monitor for Suspicious Activity: Implement monitoring and alerting to detect unusual database activity that might indicate an attempted exploit.
- Contact the Vendor: Contact Obi08 to request a security patch for this vulnerability. If the vendor is unresponsive, consider migrating to a more secure enrollment system.
