CVE-2023-45018 – Online Bus Booking System v1.0 contains unauthe... (How to Fix)

📋 TL;DR

Online Bus Booking System v1.0 contains unauthenticated SQL injection vulnerabilities in the login.php file, allowing attackers to execute arbitrary SQL commands without credentials. This affects all deployments of this specific software version. Attackers can potentially access, modify, or delete database contents.

💻 Affected Systems

Products:

Online Bus Booking System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of v1.0 are vulnerable by default

📦 What is this software?

Online Bus Booking System by Online Bus Booking System Project

View all CVEs affecting Online Bus Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, remote code execution, or system takeover

🟠

Likely Case

Database information disclosure, credential theft, and potential privilege escalation

🟢

If Mitigated

Limited impact if proper input validation and WAF rules are in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection via username parameter requires no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://projectworlds.in/

Restart Required: No

Instructions:

1. Check vendor website for updated version
2. Replace vulnerable login.php file
3. Implement parameterized queries
4. Add input validation

🔧 Temporary Workarounds

Input Validation Workaround

all

Add input validation to login.php to filter SQL injection attempts

Edit includes/login.php to add input sanitization

WAF Protection

all

Deploy web application firewall with SQL injection rules

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation and monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test login.php with SQL injection payloads in username parameter

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify input validation prevents SQL injection attempts

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web logs
Multiple failed login attempts with SQL payloads

Network Indicators:

SQL keywords in HTTP POST requests to login.php

SIEM Query:

source="web_logs" AND ("SQL syntax" OR "username=' OR" OR "UNION SELECT")

📊 Metadata

CVE ID: CVE-2023-45018

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 2, 2023

Last Updated: November 21, 2024

🔗 References

https://fluidattacks.com/advisories/oconnor Exploit,Third Party Advisory
https://projectworlds.in/ Product
https://fluidattacks.com/advisories/oconnor Exploit,Third Party Advisory
https://projectworlds.in/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45018, you might also want to check these: