Online Bus Booking System v1.0 - Multiple Unauthenticated SQL Injections (SQLi)
Summary
| Name | Online Bus Booking System v1.0 - Multiple Unauthenticated SQL Injections (SQLi) |
| Code name | O'Connor |
| Product | Online Bus Booking System |
| Vendor | Projectworlds Pvt. Limited |
| Affected versions | Version 1.0 |
| State | Public |
| Release date | 2023-11-01 |
Vulnerabilities
| Kind | Unauthenticated SQL Injections (SQLi) |
| Rule | 146. SQL Injection |
| Remote | Yes |
| CVSSv3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSSv3 Base Score | 9.8 |
| Exploit available | Yes |
| CVE ID(s) | CVE-2023-45012, CVE-2023-45015, CVE-2023-45018, CVE-2023-45019 |
Description
Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.
Vulnerabilities
CVE-2023-45012
The 'user_email' parameter of the bus_info.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
$user_email = $_POST['user_email'];
$user_query = $_POST['user_query'];
$query = "INSERT INTO query(query_bus_id, query_user, query_email, query_date, query_content, query_replied) VALUES ('$selected_bus', '$user_name', '$user_email', now(), '$user_query', 'no')";
$query_insert = mysqli_query($connection, $query);
CVE-2023-45015
The 'date' parameter of the search.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
$source = $_POST['source'];
$destination = $_POST['destination'];
$date = $_POST['date'];
...
$query = "SELECT * FROM posts WHERE post_via LIKE '%$source%$destination%' AND post_date='$date'";
$search_query = mysqli_query($connection,$query);
CVE-2023-45018
The 'username' parameter of the includes/login.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username'";
$select_user = mysqli_query($connection,$query);
CVE-2023-45019
The 'category' parameter of the category.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
if (isset($_GET['category'])) {
$cat_type = $_GET['category'];
}
$query = "SELECT * FROM posts WHERE post_category_id=$cat_type";
$select_all_bus = mysqli_query($connection,$query);
Our security policy
We have reserved the IDs CVE-2023-45012, CVE-2023-45015, CVE-2023-45018 and CVE-2023-45019 to refer to these issues from now on.
System Information
- Version: Online Bus Booking System v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://projectworlds.in/
Timeline
2023-10-02
Vulnerability discovered.
2023-10-02
Vendor contacted.
2023-11-01
Public Disclosure.
