SourceCodester Pet Grooming Management Software SQL Injection Vulnerability in Profit Report Section

A SQL injection vulnerability has been identified in SourceCodester Pet Grooming Management Software version 1.0. The issue resides in the file '/admin/profit_report.php', where the 'product_id' parameter is not properly sanitized, allowing for manipulation of the SQL query. This vulnerability can be exploited remotely by authenticated users.

Impact

Exploitation of this vulnerability allows for unauthorized access to the database, where an attacker could view, modify, or delete data. Additionally, according to the vulnerability report, this SQL injection could be leveraged to execute arbitrary queries, extract financial data, and potentially lead to remote code execution if combined with other vulnerabilities.

Reproduction

To reproduce this vulnerability, log in with admin credentials and navigate to the 'Reports' section. Select 'Profit Report' and then the 'Profit Per Product/Service' option. After choosing a product, intercept the POST request using a tool like Burp Suite. Save the intercepted request and use an SQL injection automation tool, such as sqlmap, to exploit the vulnerability.

Remediation

It is recommended to use parameterized queries with bound parameters to prevent SQL injection. Input validation should be implemented to ensure that the 'product_id' parameter is numeric and within acceptable ranges. Additionally, proper error handling should be established to avoid exposing SQL errors to users.