Kashipara Ecommerce Website SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Kashipara Ecommerce Website version 1.0. The issue arises in the user_password_recover.php file, where the recover_email parameter can be exploited to inject malicious SQL queries. This vulnerability allows attackers to manipulate database queries, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the user_password_recover.php file with a payload injected into the recover_email parameter. Use a time-based SQL injection payload, such as one that includes a sleep function, to delay the server's response and indicate successful exploitation.