Propanetank Roommate-Bill-Tracking SQL Injection Vulnerability in Login Component

A critical SQL injection vulnerability has been identified in the Propanetank Roommate-Bill-Tracking application, specifically in versions prior to the commit 288437f658fc9ee7d4b92a9da12557024d8bc55c. The issue resides in the login.php file, where the 'username' input is not properly sanitized, allowing for malicious manipulation that could interfere with SQL query execution. This vulnerability can be exploited remotely without any authentication.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the login.php page that includes a malicious payload in the 'username' field. The lack of input sanitization will allow the injected SQL code to be executed, potentially altering the application's database queries and behavior.

Remediation

Users are advised to update to the version that includes the patch for this vulnerability, available in the commit b32bb1b940f82d38fb9310cd66ebe349e20a1d0a.