Easy!Appointments SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Easy!Appointments version 1.5.1. This issue allows low-privileged authenticated users to exploit the application by sending a crafted HTTP POST request with a malicious 'order_by' parameter. The vulnerability triggers time-based blind SQL injection, enabling unauthorized SQL execution on the underlying MySQL database, which could lead to full SQL injection exploitation.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries and potentially execute arbitrary SQL commands on the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server if the database is connected to the application server in such a way.

Reproduction

To reproduce this vulnerability, intercept a valid authenticated request to one of the vulnerable endpoints, such as '/index.php/customers/search' or '/index.php/providers/search'. Add the hidden 'order_by' parameter in the request body and inject a malicious payload, such as a time-based SQL injection payload. Send the modified request and observe the delayed application response, which confirms the successful exploitation of the vulnerability.

Remediation

Users are advised to update to Easy!Appointments version 1.5.2, which addresses this vulnerability.