Railway Reservation System v1.0 - SQLi

Description

Railway Reservation System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

Vulnerabilities

CVE-2023-48685

The 'psd' parameter of the login.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-48687

The 'from' parameter of the reservation.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

$tostn = $_POST['to'];
$fromstn = $_POST['from'];
$doj = $_POST['date'];
$from=$_POST['from'];
$to=$_POST['to'];
$quota=$_POST['quota'];
$from=strtoupper($from);
$tostn=strtoupper($tostn);
$fromstn=strtoupper($fromstn);
$to=strtoupper($to);
$day=date("D",strtotime("".$doj));
//echo $day."</br>

CVE-2023-48689

The 'byname' parameter of the train.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

Our security policy

We have reserved the IDs CVE-2023-48685, CVE-2023-48687 and CVE-2023-48689 to refer to these issues from now on.

Disclosure policy

System Information

• Version: Railway Reservation System v1.0

• Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://projectworlds.in/