Netartmedia PHP Mall SQL Injection Vulnerability

Multiple SQL injection vulnerabilities have been identified in Netartmedia PHP Mall version 4.1. These vulnerabilities allow unauthenticated attackers to manipulate database queries by injecting unvalidated parameters. Exploitation can be achieved by sending time-based blind SQL payloads through the 'id' parameter in 'index.php' or the 'Email' parameter in 'loginaction.php', potentially leading to the extraction of sensitive database information.

Impact

Exploitation of these vulnerabilities allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a request to 'index.php' with a crafted 'id' parameter that includes SQL injection payloads, such as those that exploit time-based blind SQL injection. Alternatively, the 'Email' parameter in 'loginaction.php' can be used to inject similar SQL payloads.