CVE-2022-31976 Scanner

The Online Fire Reporting System version 1.0 is a web application designed to facilitate the reporting and management of fire incidents online. It is primarily used by emergency services, fire departments, and possibly by public entities to streamline the process of fire reporting. This system enables users to submit fire reports, view incident details, and manage fire incident data efficiently. It aims to improve response times and the coordination of emergency services. Developed for ease of use and accessibility, it serves as a critical tool for managing fire-related incidents and enhancing public safety measures.

The vulnerability identified in the Online Fire Reporting System version 1.0 pertains to an SQL Injection flaw. This vulnerability arises due to insufficient validation and sanitization of user-supplied inputs within the application's web forms or URLs. Attackers can exploit this weakness by injecting malicious SQL commands into the system, which could lead to unauthorized access to the database, data leakage, or manipulation. It poses a significant security risk, as it can compromise the integrity and confidentiality of sensitive data stored in the application's database.

Specifically, the SQL Injection vulnerability is found in the /ofrs/classes/Master.php?f=delete_request endpoint of the Online Fire Reporting System. The vulnerable parameter is the id parameter, which is not properly sanitized, allowing attackers to inject arbitrary SQL code. This flaw enables attackers to manipulate SQL queries executed by the application, facilitating unauthorized actions such as data retrieval, modification, and deletion. The exploitation of this vulnerability could allow attackers to gain access to confidential information or disrupt the application's functionality.

Exploitation of this SQL Injection vulnerability could have several adverse effects. Attackers could gain unauthorized access to the database, leading to the leakage of sensitive information such as personal details of users and reports of fire incidents. It could also allow attackers to alter or delete critical data, potentially disrupting the application's operations and compromising public safety efforts. Additionally, it could be used as a foothold for further attacks against the system or its users.

By leveraging the security scanning capabilities of the securityforeveryone platform, users can proactively identify and address vulnerabilities such as SQL Injection in their digital assets. This platform offers comprehensive vulnerability scanning and cyber threat exposure management, helping users to secure their systems against potential cyber threats. Becoming a member provides access to advanced scanning tools, expert support, and actionable insights to enhance your cybersecurity posture. Protect your digital assets and ensure the security of sensitive information with the securityforeveryone platform.

References

• https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-4.md
• https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-31976