Online Art Gallery v1.0 - Multiple Unauthenticated SQL Injections (SQLi)
Summary
| Name | Online Art Gallery v1.0 - Multiple Unauthenticated SQL Injections (SQLi) |
| Code name | Ono |
| Product | Online Art Gallery |
| Vendor | Projectworlds Pvt. Limited |
| Affected versions | Version 1.0 |
| State | Public |
| Release date | 2023-10-26 |
Vulnerabilities
| Kind | Unauthenticated SQL Injections (SQLi) |
| Rule | 146. SQL Injection |
| Remote | Yes |
| CVSSv3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSSv3 Base Score | 9.8 |
| Exploit available | Yes |
| CVE ID(s) | CVE-2023-44267 |
Description
Online Art Gallery v1.0 is vulnerable to an Unauthenticated SQL Injection vulnerability. The 'lnm' parameter of the header.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
$fnm=trim($_POST['fnm']);
$lnm=trim($_POST['lnm']);
$gender=trim($_POST['gender']);
$contact=trim($_POST['contact']);
$email=trim($_POST['email']);
$pwd=trim($_POST['pwd']);
$dbpass=password_hash($pwd, PASSWORD_DEFAULT);
$confirm=trim($_POST['confirmpwd']);
$add1=trim($_POST['add1']);
$add2=trim($_POST['add2']);
$add3=trim($_POST['add3']);
...
$query="insert into user_reg (fname,lname,gender,contact,email,password,add1,add2,add3) value('$fnm','$lnm','$gender','$contact','$email','$dbpass','$add1','$add2','$add3')";
mysqli_query($link,$query) or die("Error inserting data.".mysqli_error($link));
Our security policy
We have reserved the ID CVE-2023-44267 to refer to this issue from now on.
System Information
- Version: Online Art Gallery v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://projectworlds.in/
Timeline
2023-09-28
Vulnerability discovered.
2023-09-28
Vendor contacted.
2023-10-26
Public Disclosure.
