CVE-2021-43451 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-43451?

CVE-2021-43451 has a CVSS score of 9.8 (CRITICAL). This CVE describes a SQL injection vulnerability in PHPGURUKUL Employee Record Management System 1.2. Attackers can inject malicious SQL commands via the Email parameter in the forgetpassword.php endpoint, potentially allowing unauthorized database access. Organizations using this specific version of the software are affected.

📋 TL;DR

This CVE describes a SQL injection vulnerability in PHPGURUKUL Employee Record Management System 1.2. Attackers can inject malicious SQL commands via the Email parameter in the forgetpassword.php endpoint, potentially allowing unauthorized database access. Organizations using this specific version of the software are affected.

💻 Affected Systems

Products:

PHPGURUKUL Employee Record Management System

Versions: Version 1.2

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations. Requires PHP environment with database connectivity.

📦 What is this software?

Employee Record Management System by Phpgurukul

View all CVEs affecting Employee Record Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, authentication bypass, privilege escalation, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to employee records, password hash extraction, and potential authentication bypass to gain administrative access.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH - The forgetpassword.php endpoint is typically internet-facing and accessible without authentication.

🏢 Internal Only: MEDIUM - Internal systems could still be exploited by malicious insiders or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Exploit-DB and GitHub. No authentication required to reach vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Review the vulnerable forgetpassword.php file. 2. Replace raw SQL queries with parameterized prepared statements. 3. Implement proper input validation and sanitization for email parameter. 4. Test the fix thoroughly before deployment.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to restrict email parameter to valid email format only

// PHP code to validate email format
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
    die('Invalid email format');
}

WAF Rule Implementation

linux

Deploy web application firewall rules to block SQL injection patterns

# ModSecurity rule example
SecRule ARGS:email "@rx (?:'|\"|;|--|union|select|insert|update|delete|drop|create|alter)" \
    "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'

🧯 If You Can't Patch

Block external access to /forgetpassword.php endpoint at network perimeter
Implement rate limiting and monitoring on the forgetpassword.php endpoint

🔍 How to Verify

Check if Vulnerable:

Test the forgetpassword.php endpoint with SQL injection payloads like: email=test' OR '1'='1

Check Version:

Check PHPGURUKUL Employee Record Management System version in admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection tests and verify they are rejected with proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in PHP logs
Multiple failed password reset attempts with SQL-like patterns
Requests to forgetpassword.php with special characters in email parameter

Network Indicators:

HTTP POST requests to /forgetpassword.php containing SQL keywords
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND uri="/forgetpassword.php" AND (email="*'*" OR email="*;*" OR email="*--*" OR email="*union*" OR email="*select*")

📊 Metadata

CVE ID: CVE-2021-43451

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/PHPGURUKUL/ANUJ%20KUMAR/Employee-Record-Management-System-SQL-Injection Third Party Advisory
https://www.exploit-db.com/exploits/50467 Exploit,Third Party Advisory,VDB Entry
https://www.nu11secur1ty.com/2021/12/cve-2021-43451.html Exploit,Third Party Advisory
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/PHPGURUKUL/ANUJ%20KUMAR/Employee-Record-Management-System-SQL-Injection Third Party Advisory
https://www.exploit-db.com/exploits/50467 Exploit,Third Party Advisory,VDB Entry
https://www.nu11secur1ty.com/2021/12/cve-2021-43451.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43451, you might also want to check these: