Mult-E-Cart Ultimate SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Mult-E-Cart Ultimate version 2.4. This vulnerability exists in the inventory, customer, vendor, and order modules, allowing remote attackers with privileged vendor or admin roles to exploit the 'id' parameter. The exploitation of this vulnerability enables the execution of malicious SQL commands, potentially compromising the database management system.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a GET request to the affected endpoints with a crafted 'id' parameter that includes SQL injection payloads. This can be done using a web browser or a tool like Burp Suite. The injection can be verified by observing SQL error messages or by successfully executing SQL commands that, for example, return database version information.

Remediation

To address this vulnerability, it is recommended to sanitize the 'id' parameter to prevent the inclusion of special characters that could be used for SQL injection. Implementing prepared statements for database queries can also help mitigate the risk. Additionally, SQL error messages should be logged privately and not displayed to users.