Schoolmate_CVE-2023-40944

Schoolmate v1.3 (https://sourceforge.net/projects/schoolmate) is vulnerable to a second-order SQL Injection in the variable $schoolname from Database at ~\header.php.

~\header.php:
3. $query = mysql_query("select SchoolName from SchoolInfo")
4.        or die("Unable to retrieve school name: " . mysql_error());
5.
6. $schoolname = mysql_result($query,0);


9.if($_POST["infoupdate"] == 1)
10.{
11. $query = mysql_query("UPDATE schoolinfo SET schoolname = \"".htmlspecialchars($_POST["schoolname"])."\", address = '$_POST[schooladdress]', phonenumber = '$_POST[schoolphone]', sitetext = '$_POST[sitetext]', sitemessage = '$_POST[sitemessage]', numsemesters = '$_POST[numsemesters]', numperiods = '$_POST[numperiods]', apoint = '$_POST[apoint]', bpoint = '$_POST[bpoint]', cpoint = '$_POST[cpoint]', dpoint = '$_POST[dpoint]', fpoint = '$_POST[fpoint]' where schoolname = '$schoolname' LIMIT 1 ");
12. $schoolname = htmlspecialchars($_POST["schoolname"]);
13.}


The application updates the value of schoolname in table schoolinfo with user input and also uses the retrieved value of schoolname to build SQL statement dynamically (in line 3).

In line 3 of the code, the data for $schoolname is sourced from mysql_query. 
In line 11, $schoolname is passed into an SQL statement without any filtering or validation. This can potentially lead to data loss and database shutdown. 

For example, if an attacker first stores $schoolname="admin' or 1=1 #" in the database, the executed SQL statement would become: "UPDATE schoolinfo SET ... WHERE schoolname = 'admin' or 1=1 #' LIMIT 1". In this case, the WHERE clause condition would evaluate to true, resulting in modification of all data in the schoolinfo table.
Similarly, if an attacker first stores $schoolname="1'; system shutdown;#" in the database, the executed SQL statement would become: "UPDATE schoolinfo SET ... WHERE schoolname = '1'; system shutdown;#' LIMIT 1", causing the database to initiate a shutdown operation.