Job Portal v1.0 - Multiple SQLi

Summary

NameJob Portal v1.0 - Multiple Unauthenticated SQL Injections (SQLi)
Code namePollini
ProductJob Portal
VendorKashipara Group
Affected versionsVersion 1.0
StatePublic
Release date2023-12-06

Vulnerabilities

KindUnauthenticated SQL Injections (SQLi)
Rule146. SQL Injection
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSSv3 Base Score9.8
Exploit availableYes
CVE ID(s)CVE-2023-49677, CVE-2023-49681, CVE-2023-49688, CVE-2023-49689

Description

Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

Vulnerabilities

CVE-2023-49677

The 'cmbQual' parameter of the Employer/InsertJob.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

$txtTitle=$_POST['txtTitle'];
$txtTotal=$_POST['txtTotal'];
$cmbQual=$_POST['cmbQual'];
$txtDesc=$_POST['txtDesc'];
$Name=$_SESSION['Name'];
if($cmbQual=="Other")
{
$cmbQual=$_POST['txtOther'];
}
// Establish Connection with MYSQL
$con = mysqli_connect ("localhost","root","","job");

// Specify the query to Insert Record
$sql = "insert into job_master (CompanyName,JobTitle,Vacancy,MinQualification,Description) values('".$Name."','".$txtTitle."','".$txtTotal."','".$cmbQual."','".$txtDesc."')";
// execute query
mysqli_query ($con,$sql);

CVE-2023-49681

The 'cmbQual' parameter of the Employer/InsertWalkin.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

$txtTitle=$_POST['txtTitle'];
$txtTotal=$_POST['txtTotal'];
$cmbQual=$_POST['cmbQual'];
$txtDesc=$_POST['txtDesc'];
$txtDate=$_POST['txtDate'];
$txtTime=$_POST['txtTime'];
$Name=$_SESSION['Name'];
if($cmbQual=="Other")
{
$cmbQual=$_POST['txtOther'];
}
// Establish Connection with MYSQL
$con = mysqli_connect ("localhost","root","","job");

// Specify the query to Insert Record
$sql = "insert into walkin_master (CompanyName,JobTitle,Vacancy,MinQualification,Description,InterviewDate,InterviewTime) values('".$Name."','".$txtTitle."','".$txtTotal."','".$cmbQual."','".$txtDesc."','".$txtDate."','".$txtTime."')";
// execute query
mysqli_query ($con,$sql);

CVE-2023-49688

The 'txtUser' parameter of the login.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

$UserName=$_POST['txtUser'];
$Password=$_POST['txtPass'];
$UserType=$_POST['cmbUser'];
if($UserType=="Administrator")
{
$con = mysqli_connect("localhost","root","","job");

$sql = "select * from user_master where UserName='".$UserName."' and Password='".$Password."'";
$result = mysqli_query($con,$sql);

CVE-2023-49689

The 'JobId' parameter of the Employer/DeleteJob.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

$Id=$_GET['JobId'];
// Establish Connection with MYSQL
$con = mysqli_connect ("localhost","root","","job");

// Specify the query to Insert Record
$sql = "delete from Job_Master where JobId='".$Id."'";
// execute query
mysqli_query ($con,$sql);

Our security policy

We have reserved the IDs CVE-2023-49677, CVE-2023-49681, CVE-2023-49688 and CVE-2023-49689 to refer to these issues from now on.

System Information

  • Version: Job Portal v1.0
  • Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://www.kashipara.com/

Timeline

Time-lapse-logo

2023-11-29

Vulnerability discovered.

Time-lapse-logo

2023-11-29

Vendor contacted.

Time-lapse-logo

2023-12-06

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.