CVE-2022-2298
📋 TL;DR
This is a critical SQL injection vulnerability in SourceCodester Clinics Patient Management System 2.0 that allows attackers to bypass authentication on the login page. By injecting SQL commands into the user_name parameter, attackers can gain unauthorized access to the system. All installations of version 2.0 are affected.
💻 Affected Systems
- SourceCodester Clinics Patient Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing data theft, modification, or deletion of patient records, and potential lateral movement to other systems.
Likely Case
Unauthorized access to patient management system leading to data breach of sensitive medical information.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.
🎯 Exploit Status
Simple SQL injection payloads can bypass authentication without requiring any prior access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize user_name parameter before SQL processing
Modify /pms/index.php to use prepared statements or parameterized queries
Web Application Firewall Rule
allBlock SQL injection patterns in the user_name parameter
Add WAF rule to detect and block patterns like 'or '1'='1' in login requests
🧯 If You Can't Patch
- Implement network segmentation to isolate the system from sensitive networks
- Enable detailed logging and monitoring for SQL injection attempts on the login page
🔍 How to Verify
Check if Vulnerable:
Attempt to login with payload: admin' or '1'='1 in username field. If login succeeds without valid credentials, system is vulnerable.Check Version:
Check system documentation or about page for version information, or examine PHP files for version markersVerify Fix Applied:
Attempt the same SQL injection payload. System should reject the login attempt or return an error without granting access.📡 Detection & Monitoring
Log Indicators:
- Failed login attempts with SQL keywords in username field
- Successful logins from unusual IP addresses after SQL injection patterns
Network Indicators:
- HTTP POST requests to /pms/index.php containing SQL injection patterns in parameters
SIEM Query:
source="web_logs" AND uri="/pms/index.php" AND (user_name CONTAINS "'or'" OR user_name CONTAINS "'1'='1'")🔗 References
- https://github.com/CyberThoth/CVE/blob/63e283e7d7dad3783237f15cdae2bb649bc1e198/CVE/Clinic%27s%20Patient%20Management%20System/SQLi/POC.md
- https://vuldb.com/?id.203179
- https://github.com/CyberThoth/CVE/blob/63e283e7d7dad3783237f15cdae2bb649bc1e198/CVE/Clinic%27s%20Patient%20Management%20System/SQLi/POC.md
- https://vuldb.com/?id.203179
