Login Sign Up

CVE-2021-42580

9.8 CRITICAL
Remote Code Execution SQL Injection Authentication Bypass

📋 TL;DR

CVE-2021-42580 is a critical vulnerability in Sourcecodester Online Learning System 2.0 that combines SQL injection authentication bypass with authenticated file upload to achieve unauthenticated remote code execution. Attackers can exploit this to gain administrative access and execute arbitrary commands on the server. All deployments of this specific software version are affected.

💻 Affected Systems

Products:
  • Sourcecodester Online Learning System
Versions: Version 2.0
Operating Systems: Any OS running PHP web server
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default installation. Requires PHP environment with file upload capabilities.

📦 What is this software?

Online Learning System by Oretnom23

View all CVEs affecting Online Learning System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Unauthenticated attackers gain administrative access, upload malicious files, and execute commands to deface websites, steal database contents, or deploy ransomware.

🟢

If Mitigated

With proper network segmentation and web application firewalls, exploitation attempts are blocked, limiting impact to the web application layer only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts available. Attack chain combines SQL injection in /admin/login.php with file upload in Master.php.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing comprehensive workarounds.

🔧 Temporary Workarounds

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns and restrict file uploads to admin directory

# ModSecurity rules example:
SecRule ARGS "(?i:(union|select|insert|update|delete|drop|exec|xp_cmdshell))" \
"id:1001,phase:2,deny,status:403,msg:'SQL Injection attempt'"
# Block file uploads to Master.php:
SecRule REQUEST_FILENAME "@endsWith Master.php" \
"id:1002,phase:1,deny,status:403,msg:'Blocked Master.php access'"

File Upload Restrictions

all

Restrict file uploads to specific extensions and implement file type verification

# PHP configuration to restrict uploads:
$allowed_extensions = array('jpg', 'png', 'pdf');
$file_extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_extensions)) {
    die('Invalid file type');
}

🧯 If You Can't Patch

  • Immediately isolate the system from internet access and place behind strict firewall rules
  • Implement network segmentation to limit lateral movement if compromised

🔍 How to Verify

Check if Vulnerable:

Check if /admin/login.php exists and test for SQL injection using payloads like ' OR '1'='1. Also verify Master.php accepts file uploads without proper authentication.

Check Version:

Check version in application files or database configuration. Look for version indicators in source code or admin panel.

Verify Fix Applied:

Test that SQL injection payloads no longer bypass authentication and file uploads to Master.php require proper authentication.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts with SQL patterns in /admin/login.php
  • File uploads to Master.php from unauthenticated IPs
  • Unusual POST requests containing UNION SELECT or file upload parameters

Network Indicators:

  • HTTP requests with SQL injection patterns in login parameters
  • File uploads to Master.php endpoint
  • Subsequent connections to uploaded malicious files

SIEM Query:

source="web_logs" AND (uri="/admin/login.php" AND (message="*union*" OR message="*select*" OR message="*' OR '*")) OR (uri="*Master.php*" AND method="POST" AND size>100000)

📊 Metadata

CVE ID: CVE-2021-42580
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 15, 2021
Last Updated: December 18, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42580, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)