Login Sign Up

CVE-2021-42665

9.8 CRITICAL
SQL Injection Authentication Bypass

📋 TL;DR

CVE-2021-42665 is an SQL injection vulnerability in the Engineers Online Portal PHP application that allows attackers to bypass authentication via the login form. This affects any organization using the vulnerable version of this software, potentially allowing unauthorized access to the portal.

💻 Affected Systems

Products:
  • Sourcecodester Engineers Online Portal
Versions: All versions prior to patch
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the default installation with no additional configuration required for exploitation.

📦 What is this software?

Engineers Online Portal by Engineers Online Portal Project

View all CVEs affecting Engineers Online Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the portal with administrative privileges, data exfiltration, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized access to sensitive engineer data, portal manipulation, and potential data theft.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts available requiring minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html

Restart Required: No

Instructions:

1. Download latest version from Sourcecodester
2. Replace vulnerable index.php and related files
3. Test authentication functionality

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement proper input validation and parameterized queries in login.php

Modify PHP code to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE username = ? AND password = ?'); $stmt->bind_param('ss', $username, $password);

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

  • Implement network segmentation to isolate the portal from critical systems
  • Enable detailed logging and monitoring for suspicious login attempts

🔍 How to Verify

Check if Vulnerable:

Test login form with SQL injection payloads like ' OR '1'='1 in username/password fields

Check Version:

Check PHP files for vulnerable code patterns in index.php and login handling scripts

Verify Fix Applied:

Attempt SQL injection attacks after fix implementation; successful login should only occur with valid credentials

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL syntax in login attempts
  • Multiple failed logins from single IP
  • Successful logins with SQL-like patterns

Network Indicators:

  • POST requests to login.php containing SQL keywords
  • Unusual authentication patterns

SIEM Query:

source=web_logs AND (uri_path="/login.php" OR uri_path="/index.php") AND (request_body CONTAINS "OR" OR request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2021-42665
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42665, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)