CVE-2023-39852
📋 TL;DR
CVE-2023-39852 is a SQL injection vulnerability in Doctormms v1.0 that allows attackers to execute arbitrary SQL commands via the $userid parameter in myAppoinment.php. This affects all users running the vulnerable version of Doctormms, potentially leading to data theft, modification, or deletion. The vulnerability's exploitability is disputed between the reporter and a third party regarding whether userid is properly controlled by server sessions.
💻 Affected Systems
- Doctormms (Doctor Appointment System)
📦 What is this software?
Doctor Appointment System by Doctor Appointment System Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data exfiltration, modification, or deletion; potential authentication bypass and remote code execution if database permissions allow.
Likely Case
Unauthorized access to sensitive patient/doctor data, appointment manipulation, or privilege escalation within the application.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
Exploitation requires authentication to reach myAppoinment.php. SQL injection is well-understood attack vector with many available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Implement workarounds or manually fix vulnerable code.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd input validation to ensure userid contains only expected characters (numbers) and sanitize before use in SQL queries.
Modify doctors\doctorlogin.php line 68: $_SESSION["userid"] = intval($_POST["userid"]);
Parameterized Queries Implementation
allReplace all SQL queries in myAppoinment.php with parameterized/prepared statements to prevent SQL injection.
Replace raw SQL queries with PDO or mysqli prepared statements in myAppoinment.php
🧯 If You Can't Patch
- Implement WAF (Web Application Firewall) with SQL injection rules
- Restrict database user permissions to minimum required, disable unnecessary functions
🔍 How to Verify
Check if Vulnerable:
Review doctors\doctorlogin.php line 68 for $_SESSION["userid"]=$_POST["userid"] and check myAppoinment.php for unparameterized SQL queries using $userid.Check Version:
Check application files for version information or review source code commentsVerify Fix Applied:
Test with SQL injection payloads (e.g., ' OR '1'='1) in userid parameter and verify queries fail or are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed login attempts followed by SQL syntax in queries
- Unexpected database queries from single user sessions
Network Indicators:
- SQL keywords in POST parameters to myAppoinment.php
- Unusual database connection patterns
SIEM Query:
source="web_logs" AND (uri="/myAppoinment.php" AND (param="userid" AND value MATCH "'|--|;|UNION|SELECT"))🔗 References
- https://github.com/KLSEHB/vulnerability-report/blob/main/Doctormms_CVE-2023-39852
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- https://github.com/KLSEHB/vulnerability-report/blob/main/Doctormms_CVE-2023-39852
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
