SQL Injection vulnerability was discovered from Sourcecodester Contact Manager with Export to VCF (delete-contact.php)
CVE-2024-8380
A vulnerability was found in SourceCodester Contact Manager with Export to VCF 1.0. It has been rated as critical. This issue affects some unknown processing of the file /endpoint/delete-account.php of the component Delete Contact Handler. The manipulation of the argument contact leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected Project: Sourcecodester Contact Manager with Export to VCF 1.0
Official Website: https://www.sourcecodester.com/php/17556/contact-manager-export-vcf-using-php-and-mysql-source-code.html
Version: 1.0
Related Code file: delete-contact.php
Injection parameter: contact
Analysis
The contact
parameter from the GET request is directly used in the SQL query without any validation or escaping, making the code susceptible to SQL injection attacks.
Demonstration
Below is Contact Manager with Export to VCF app:
We can delete contact as such:
Let’s intercept the delete contact traffic using Burp Suite:
Save the traffic to a file and run sqlmap against it:
We can see that parameter contact
is vulnerable: