Campcodes Point of Sale System SQL Injection Vulnerability in Login Functionality
Vulnerability
A SQL injection vulnerability has been identified in Campcodes Point of Sale System POS version 1.0. The issue arises in the login.php file, where manipulation of the 'Username' argument allows for SQL injection. This vulnerability can be exploited remotely, without any authentication requirements.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a POST request to 'login.php' with the 'username' parameter manipulated to include a crafted SQL payload. This payload should exploit the application's SQL query handling, such as by using SQL injection techniques to bypass authentication or extract database information. The 'password' parameter can be filled with a generic value, such as '123123'.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.