CVE-2023-29622
📋 TL;DR
Purchase Order Management v1.0 contains a SQL injection vulnerability in the admin login page that allows attackers to execute arbitrary SQL commands via the password parameter. This can lead to authentication bypass, data theft, or complete system compromise. Any organization using this software version is affected.
💻 Affected Systems
- Purchase Order Management
📦 What is this software?
Purchase Order Management by Purchase Order Management Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover: attacker gains administrative access, extracts all database contents (including sensitive business data and credentials), and potentially executes operating system commands leading to full server compromise.
Likely Case
Authentication bypass allowing unauthorized admin access, followed by data exfiltration of purchase orders, vendor information, and user credentials.
If Mitigated
Attack attempts are logged and blocked by input validation or WAF, with no successful exploitation.
🎯 Exploit Status
SQL injection in login page is trivial to exploit with standard SQLi techniques. Public proof-of-concept exists in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: No
Instructions:
No official patch available. Consider migrating to alternative software or implementing workarounds.
🔧 Temporary Workarounds
Input Validation and Parameterized Queries
allModify login.php to use prepared statements with parameterized queries instead of concatenating user input into SQL.
Replace vulnerable code with: $stmt = $conn->prepare('SELECT * FROM users WHERE username = ? AND password = ?'); $stmt->bind_param('ss', $username, $password); $stmt->execute();
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block SQL injection patterns targeting the /purchase_order/admin/login.php endpoint.
ModSecurity rule: SecRule ARGS:password "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"
🧯 If You Can't Patch
- Isolate the Purchase Order Management system in a separate network segment with strict access controls.
- Implement multi-factor authentication for admin access and monitor all login attempts to the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Test the login endpoint with SQL injection payloads like: password=' OR '1'='1Check Version:
Check software version in admin panel or readme files. No standard command available.Verify Fix Applied:
Attempt SQL injection after implementing parameterized queries and verify login fails with malicious input.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL syntax in password field of login attempts
- Multiple failed login attempts with SQL keywords
- Successful admin login from unexpected IP addresses
Network Indicators:
- HTTP POST requests to /purchase_order/admin/login.php containing SQL keywords in parameters
- Unusual database query patterns from web server
SIEM Query:
source="web_logs" AND url_path="/purchase_order/admin/login.php" AND (password CONTAINS "OR" OR password CONTAINS "UNION" OR password CONTAINS "SELECT")🔗 References
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-1.0/SQLi
- https://portswigger.net/web-security/sql-injection
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-1.0/SQLi
- https://portswigger.net/web-security/sql-injection
