Vehicle Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Vehicle Management System versions 1.0. Affected POST parameters can be exploited by low-authenticated guest users during vehicle booking actions. The vulnerable parameters include 'Booking ID', 'Action Name', and 'Payment Confirmation ID', present in '/vehicle-management/newvehicle.php' and '/vehicle-management/newdriver.php'. This vulnerability allows for the execution of arbitrary SQL commands, potentially leading to unauthorized database access, data manipulation, and privilege escalation.

Impact

Exploitation of this vulnerability could allow attackers to bypass authentication, access sensitive information, manipulate or delete database records, and escalate privileges to execute unauthorized administrative actions.

Reproduction

To reproduce this vulnerability, a guest user can send a POST request to the '/vehicle-management/newvehicle.php' or '/vehicle-management/newdriver.php' endpoints. The request must include the vulnerable parameters: 'Booking ID', 'Action Name', and 'Payment Confirmation ID'. This will trigger the SQL injection vulnerability, allowing the execution of arbitrary SQL commands.

Remediation

It is recommended to validate and sanitize all user input, particularly POST parameters. Implementing parameterized queries or prepared statements can help prevent SQL injection attacks. Additionally, access to sensitive endpoints should be restricted and strong authentication measures enforced.