Online Book Store Project v1.0 - Unauthenticated SQL Injection (SQLi)
Summary
| Name | Online Book Store Project v1.0 - Unauthenticated SQL Injection (SQLi) |
| Code name | |
| Product | Online Book Store Project |
| Affected versions | Version 1.0 |
| State | Public |
| Release date | 2023-09-28 |
Vulnerabilities
| Kind | Unauthenticated SQL Injection (SQLi) |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 9.8 |
| Exploit available | Yes |
| CVE ID(s) |
Description
The 'bookisbn' parameter of the cart.php resource does not validate the characters received and they are sent unfiltered to the database. The relevant vulnerable code is:
cart.php:
if(isset($_SESSION['cart']) && (array_count_values($_SESSION['cart']))){
$_SESSION['total_price'] = total_price($_SESSION['cart']);
$_SESSION['total_items'] = total_items($_SESSION['cart']);
cart_functions.php:
function total_price($cart){ $price = 0.0; if(is_array($cart)){ foreach($cart as $isbn => $qty){
$bookprice = getbookprice($isbn);
if($bookprice){
$price += $bookprice * $qty;
}
}
}
return $price;
}
database_functions.php:
function getbookprice($isbn){
$conn = db_connect();
$query = "SELECT book_price FROM books WHERE book_isbn = '$isbn'";
$result = mysqli_query($conn, $query);
if(!$result){
echo "get book price failed! " . mysqli_error($conn);
exit;
}
$row = mysqli_fetch_assoc($result);
return $row['book_price'];
}
Our security policy
We have reserved the ID CVE-2023-43739 to refer to this issue from now on.
System Information
- Version: Online Book Store Project v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://projectworlds.in/
Timeline
2023-09-21
Vulnerability discovered.
2023-09-21
Vendor contacted.
2023-09-28
Public Disclosure.
