CVE-2021-40595
📋 TL;DR
This SQL injection vulnerability in the Online Leave Management System allows attackers to execute arbitrary SQL commands via the username parameter in the login functionality. Attackers can potentially bypass authentication, extract sensitive data, or compromise the database server. Organizations using this specific software version are affected.
💻 Affected Systems
- Sourcecodester Online Leave Management System
📦 What is this software?
Online Leave Management System by Online Leave Management System Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution on the database server.
Likely Case
Authentication bypass allowing unauthorized access to the leave management system, data extraction of user credentials and sensitive leave records.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, with database permissions restricted.
🎯 Exploit Status
Exploitation requires sending crafted SQL payloads to the username parameter in login requests. Public proof-of-concept exists in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Implement parameterized queries in /leave_system/classes/Login.php, specifically for username parameter handling.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for username parameter, rejecting SQL special characters.
Modify PHP code to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE username = ?'); $stmt->bind_param('s', $username);
Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns targeting the login endpoint.
Add WAF rule to block requests containing SQL keywords like UNION, SELECT, INSERT, DELETE, DROP, OR 1=1 to /leave_system/classes/Login.php
🧯 If You Can't Patch
- Isolate the system behind a firewall, restricting access to authorized IP addresses only.
- Implement network segmentation to limit database server access from the application server only.
🔍 How to Verify
Check if Vulnerable:
Test by sending SQL injection payloads (e.g., admin' OR '1'='1) to the username parameter in POST requests to /leave_system/classes/Login.php and observing authentication bypass or SQL errors.Check Version:
Check the software version in the source code or documentation; look for version indicators in files or database.Verify Fix Applied:
Attempt the same SQL injection tests after implementing parameterized queries; successful attacks should be blocked and proper error handling should occur.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with SQL special characters in username field
- Database error logs showing SQL syntax errors from the login.php script
Network Indicators:
- HTTP POST requests to /leave_system/classes/Login.php containing SQL keywords in parameters
- Unusual database queries originating from the application server
SIEM Query:
source="web_logs" AND url_path="/leave_system/classes/Login.php" AND (username="*UNION*" OR username="*OR 1=1*" OR username="*'--*" OR username="*;--*")🔗 References
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-03
- https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-03
- https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html
