CVE-2021-46024
📋 TL;DR
This CVE describes an unauthenticated SQL injection vulnerability in Projectworlds online-shopping-webvsite-in-php version 1.0. Attackers can exploit the 'id' parameter in cart_add.php to execute arbitrary SQL commands without authentication. Any organization using this vulnerable software version is affected.
💻 Affected Systems
- Projectworlds online-shopping-webvsite-in-php
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, and potential remote code execution via database functions.
Likely Case
Data exfiltration of customer information, order details, and potentially administrative credentials stored in the database.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
SQL injection via GET/POST parameters is well-understood with many automated tools available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/projectworldsofficial/online-shopping-webvsite-in-php/issues/3
Restart Required: No
Instructions:
No official patch available. Manual code remediation required: 1. Locate cart_add.php 2. Replace vulnerable SQL queries with parameterized prepared statements 3. Implement proper input validation for the 'id' parameter
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests.
Input Validation Filter
allAdd server-side validation to ensure 'id' parameter contains only numeric values.
Add to cart_add.php: if(!is_numeric($_GET['id'])) { die('Invalid input'); }
🧯 If You Can't Patch
- Isolate the vulnerable system behind a reverse proxy with strict input validation
- Implement network segmentation to limit database access from the web server
🔍 How to Verify
Check if Vulnerable:
Test the cart_add.php endpoint with SQL injection payloads like: cart_add.php?id=1' OR '1'='1Check Version:
Check the software version in documentation or configuration files; this is version 1.0 only.Verify Fix Applied:
Attempt SQL injection tests and verify they are blocked or produce error messages without database interaction.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple rapid requests to cart_add.php with varying id parameters
- Requests containing SQL keywords like UNION, SELECT, OR in id parameter
Network Indicators:
- Unusual database connection patterns from web server
- Large data exfiltration from database server
SIEM Query:
source="web_logs" AND uri="*cart_add.php*" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR*" OR query="*'*" OR query="*--*" OR query="*;*")