Critical SQL Injection in Lost & Found Systems: What Indian SMBs Must Know

What Happened

A critical-severity SQL injection vulnerability has been discovered in SourceCodester's Lost and Found Information System version 1.0. The flaw exists in the items/view.php file, specifically in how the GET parameter id is handled. By manipulating this parameter, an unauthenticated attacker can inject malicious SQL commands directly into the application's database queries.

The vulnerability allows remote attackers to:

1. Extract sensitive data (user credentials, personal information, transaction records)
2. Modify or delete database records
3. Potentially execute system-level commands depending on database permissions
4. Gain administrative access to the entire system

According to NIST NVD (National Vulnerability Database), this vulnerability was assigned CVE-2023-2672 and classified as CVSS 9.8 (Critical)—the highest severity rating. The public disclosure date means the window for silent exploitation is already closing.

Why This Matters for Indian Businesses

If you're running a Lost and Found system—whether you're a hospital managing patient belongings, a university tracking student items, or a corporate office handling lost property—this vulnerability directly threatens you.

DPDP Act Compliance Risk

Under India's Digital Personal Data Protection (DPDP) Act, 2023, which came into force in August 2023, organizations are required to:

1. Implement reasonable security measures to protect personal data
2. Notify the Data Protection Board within 30 days of discovering a breach
3. Maintain audit trails of data access

1. Names, phone numbers, and email addresses of people who lost items
2. Descriptions of lost items (which might reveal sensitive information)
3. Employee data (if staff manage the system)
4. Potentially payment information if the system handles compensation claims

CERT-In 6-Hour Reporting Mandate

The Indian Computer Emergency Response Team (CERT-In) requires organizations to report cybersecurity incidents to cert-in@cert-in.org.in within 6 hours of discovery. A SQL injection breach on your Lost and Found system would trigger this mandatory reporting requirement.

RBI and SEBI Guidelines

If your organization handles any financial transactions (reimbursement for lost items, insurance claims), you fall under RBI cybersecurity guidelines. The RBI's "Cyber Security Framework for Banks" explicitly mandates:

1. Regular vulnerability assessments
2. Penetration testing at least annually
3. Immediate patching of critical vulnerabilities

Real Impact for Indian SMBs

In my years building enterprise systems, I've seen this pattern repeatedly: organizations deploy open-source or low-cost solutions without understanding their security implications. A Lost and Found system might seem low-risk until an attacker uses it as an entry point to your broader network.

We've analyzed security postures of hundreds of Indian SMBs, and many are running vulnerable versions of popular open-source applications without even knowing it. The combination of:

1. Public exploit availability
2. DPDP Act penalties
3. CERT-In reporting requirements
4. Potential reputational damage

Technical Breakdown

How the Attack Works

The vulnerability exists because the Lost and Found system takes user input (the id parameter from the URL) and directly concatenates it into a SQL query without sanitization or parameterized queries.

Here's what a vulnerable code pattern looks like:

// VULNERABLE CODE - DO NOT USE
<?php
$id = $_GET['id'];  // User input from URL
$query = "SELECT * FROM items WHERE id = " . $id;  // Direct concatenation
$result = mysqli_query($connection, $query);
?>

An attacker would craft a malicious URL like:

https://yourserver.com/items/view.php?id=1 OR 1=1--

This transforms the SQL query into:

SELECT * FROM items WHERE id = 1 OR 1=1--

Since 1=1 is always true, the -- comments out the rest of the query, and the attacker retrieves ALL records instead of just one item.

More sophisticated attacks use UNION-based injection to extract data from other tables:

https://yourserver.com/items/view.php?id=1 UNION SELECT username, password, email FROM users--

Or time-based blind SQL injection to extract data character-by-character:

https://yourserver.com/items/view.php?id=1 AND SLEEP(5)--

Attack Flow Diagram

graph TD
    A[Attacker identifies vulnerable URL] -->|Crafts malicious payload| B[Injects SQL via GET parameter]
    B -->|Application concatenates input| C[Malicious SQL sent to database]
    C -->|Database executes unintended query| D[Unauthorized data retrieved]
    D -->|Attacker extracts sensitive data| E[Credentials, PII, records compromised]
    E -->|Data sold or used for further attacks| F[Lateral movement to internal network]
    F -->|Attacker gains system access| G[Complete breach]

Why Parameterized Queries Prevent This

The fix is simple: use parameterized queries (also called prepared statements). Here's the secure version:

// SECURE CODE - USE THIS INSTEAD
<?php
$id = $_GET['id'];

// Using parameterized query with mysqli
$query = "SELECT * FROM items WHERE id = ?";
$stmt = $connection->prepare($query);
$stmt->bind_param("i", $id);  // "i" means integer type
$stmt->execute();
$result = $stmt->get_result();

while($row = $result->fetch_assoc()) {
    echo $row['item_name'];
}
?>

Or using PDO (more modern approach):

// SECURE CODE - PDO METHOD
<?php
$id = $_GET['id'];

$query = "SELECT * FROM items WHERE id = :id";
$stmt = $pdo->prepare($query);
$stmt->execute(['id' => $id];

foreach($stmt->fetchAll() as $row) {
    echo $row['item_name'];
}
?>

With parameterized queries, the database engine knows that the user input is data, not executable SQL code. The SQL structure is defined first, and user input is plugged in safely afterward.

How to Protect Your Business

Immediate Actions (Do This Today)

1. Identify If You're Running the Vulnerable Version

If you're using SourceCodester Lost and Found Information System, check your version:

# SSH into your server
ssh your_username@your_server_ip

# Navigate to the application directory
cd /var/www/html/lost_and_found  # or your installation path

# Check the version file
cat version.txt
# OR
grep -r "Lost and Found Information System" . | head -5

If you see version 1.0, you're vulnerable.

2. Take the Application Offline (Temporary Measure)

If you can't patch immediately:

# Disable the vulnerable application
sudo mv /var/www/html/lost_and_found /var/www/html/lost_and_found.backup

# Create a maintenance page
echo "System under maintenance. We'll be back soon." > /var/www/html/maintenance.html

# Update your web server configuration to serve the maintenance page

3. Check Database Access Logs

Determine if you've already been compromised:

# Check MySQL query logs (if enabled)
sudo tail -f /var/log/mysql/query.log | grep -i "union\|sleep\|benchmark"

# Check web server access logs for suspicious patterns
sudo tail -f /var/log/apache2/access.log | grep -i "union\|or%201=1\|sleep"

# Look for unusual query patterns in your MySQL slow query log
sudo tail -f /var/log/mysql/slow.log

Short-Term Actions (This Week)

1. Upgrade or Patch

Check SourceCodester's official repository for a patched version:

# Backup your current database
mysqldump -u root -p your_database_name > backup_$(date +%Y%m%d).sql

# Download the latest version
wget https://sourcecodester.com/lost_and_found_latest.zip
unzip lost_and_found_latest.zip

# Replace vulnerable files
cp -r lost_and_found_latest/* /var/www/html/lost_and_found/

# Set correct permissions
sudo chown -R www-data:www-data /var/www/html/lost_and_found/
sudo chmod -R 755 /var/www/html/lost_and_found/

2. Implement Web Application Firewall (WAF) Rules

If you can't patch immediately, a WAF can block SQL injection attempts:

# Using ModSecurity (Apache)
sudo apt-get install libapache2-mod-security2

# Enable the rule
sudo a2enmod security2

# Add rule to block SQL injection patterns
echo '
SecRule ARGS "(union|select|insert|update|delete|drop|create|alter|exec|execute|script|javascript|onerror|onclick)" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"' | sudo tee -a /etc/modsecurity/modsecurity.conf

# Restart Apache
sudo systemctl restart apache2

3. Enable Database Query Logging

# Edit MySQL configuration
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

# Add these lines:
# general_log = 1
# general_log_file = /var/log/mysql/query.log
# log_queries_not_using_indexes = 1

# Restart MySQL
sudo systemctl restart mysql

Long-Term Actions (This Month)

1. Implement Input Validation

Even with parameterized queries, validate input:

<?php
// Validate that 'id' is an integer
$id = filter_var($_GET['id'], FILTER_VALIDATE_INT);

if ($id === false) {
    die("Invalid ID parameter");
}

// Now use parameterized query with validated input
$query = "SELECT * FROM items WHERE id = :id";
$stmt = $pdo->prepare($query);
$stmt->execute(['id' => $id]);
?>

2. Conduct a Full Security Audit

Review all user input points in your application:

# Search for all GET/POST parameter usage
grep -r "\$_GET\|\$_POST\|\$_REQUEST" /var/www/html/lost_and_found/ | grep -v "prepared\|parameterized" > vulnerable_patterns.txt

# Review the file
cat vulnerable_patterns.txt

Each finding needs to be converted to parameterized queries.

3. Implement Rate Limiting

Prevent brute-force and automated attacks:

# In Nginx configuration
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;

server {
    location /items/view.php {
        limit_req zone=api_limit burst=20 nodelay;
    }
}

4. Set Up Intrusion Detection

# Install Snort IDS
sudo apt-get install snort

# Configure to monitor for SQL injection patterns
sudo nano /etc/snort/rules/local.rules

# Add detection rule:
# alert http any any -> any any (msg:"SQL Injection Attempt"; \
#   content:"union"; http_uri; nocase; sid:1000001;)

How Bachao.AI Would Have Prevented This

When I was architecting security for large enterprises, we had dedicated security teams running constant vulnerability scans. This is exactly why I built Bachao.AI—to make that level of protection accessible and affordable for Indian SMBs.

Here's how our platform would have caught and prevented this vulnerability:

1. VAPT Scan — Vulnerability Detection

1. Detection method: VAPT Scan performs both automated scanning and manual penetration testing
2. Specific to this vulnerability: Would test the items/view.php?id= parameter with SQL injection payloads and flag the vulnerability immediately
3. Cost: Free tier available for basic scanning; comprehensive VAPT from ₹1,999
4. Time to detect: Results within 24-48 hours
5. What you get: Detailed report with proof-of-concept, CVSS score, remediation steps

Vulnerability: SQL Injection in items/view.php
Parameter: id (GET)
Severity: CRITICAL (CVSS 9.8)
Proof: items/view.php?id=1' OR '1'='1
Impact: Complete database compromise
Fix: Use parameterized queries (see code example above)
Deadline: Patch within 24 hours

2. API Security — Continuous Monitoring

1. Detection method: Real-time request inspection, payload analysis, anomaly detection
2. Specific benefit: Catches both known attack patterns and zero-day variations
3. Cost: Starts at ₹2,999/month
4. Time to respond: Immediate blocking of malicious requests

3. Dark Web Monitoring — Breach Detection

1. Detection method: Continuous scanning of dark web marketplaces, paste sites, and breach databases
2. Specific benefit: You'd know within hours if your Lost and Found database was sold or leaked
3. Cost: ₹999/month for up to 5 domains and 10 employee credentials
4. Time to alert: Same day notification

4. DPDP Compliance Assessment

1. Assessment includes: Security controls checklist, data handling procedures, breach response plan
2. Specific benefit: Reduces regulatory risk and demonstrates due diligence to authorities
3. Cost: ₹4,999 for comprehensive assessment
4. Deliverable: Compliance roadmap with 90-day action plan

5. Incident Response — 24/7 Support

1. Immediate containment and forensics
2. CERT-In notification within the 6-hour window
3. DPDP Act breach notification to affected parties
4. Root cause analysis and remediation guidance

1. Cost: ₹29,999/year for 24/7 access
2. Response time: 2-hour initial response, 4-hour on-site if needed
3. Includes: CERT-In report preparation, legal compliance documentation

Recommended Bundle for Your Situation

If you're running a Lost and Found system (or any web application), here's what we'd recommend:

1. Start with VAPT Scan (Free) — Identify vulnerabilities immediately
2. Add Dark Web Monitoring — Know if you've been breached (₹999/month)
3. Implement DPDP Compliance — Ensure you meet legal requirements (₹4,999 one-time)
4. Optional: Incident Response Plan — Sleep better knowing you're covered (₹29,999/year)

Key Takeaways

1. CVE-2023-2672 is actively exploited — Patch within 24 hours if you're running SourceCodester Lost and Found 1.0
2. DPDP Act penalties are severe — Non-compliance can result in ₹250 crore fines
3. CERT-In requires 6-hour reporting — Delays incur additional penalties
4. Parameterized queries are non-negotiable — Every user input must be treated as untrusted
5. Preventive scanning saves money — A ₹1,999 VAPT scan is cheaper than breach remediation

Book Your Free VAPT Scan Today — Identify vulnerabilities in your Lost and Found system (or any web application) in 24 hours. Takes 5 minutes to set up.

Originally reported by NIST NVD. This article was written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. We analyze cybersecurity incidents daily to help Indian businesses stay protected.

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.