Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-mitre/Online-Catering-Reservation-DT-Food-Catering/
CVE-mitre/Online-Catering-Reservation-DT-Food-Catering/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

Base on checks for other issues for CVE-2021-38758 and I found SQL injection bypass login. :D

Software version and vendor:

      • Online-Catering-Reservation-DT Food Catering (by: oretnom23 ) v1.0
  • Type 1=1

  • [+] Proof


[+] Vulnerable Code:

[+] Path: /catering/classes/Login.php

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

[+] Temporary fix of the problem, but not strong: :)

		$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Description:

The Online-Catering-Reservation-DT Food-Catering(by: oretnom23)v1.0 is vulnerable
in the application /catering/classes/Login.php which is called from /catering/dist/js/script.js app. 
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. 
When the user is sending a request to the MySQL server he can bypass the login credentials and take control of the administer account.