SourceCodester Wedding Reservation Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Wedding Reservation Management System version 1.0. The issue resides in the 'function.php' file, specifically within the 'insertReservation' function. The vulnerability is triggered by manipulating the 'number' parameter, allowing attackers to inject malicious SQL queries. This exploitation can be performed remotely, without any authentication.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation of data, and potential leakage of sensitive information. Such actions could disrupt services and pose a significant threat to overall system security.

Reproduction

To reproduce this vulnerability, send a POST request to 'http://<target>/wedding/form.php' with the 'date', 'name', 'email', 'number', and 'photographer' parameters. Include a crafted payload in the 'number' parameter that exploits the SQL injection vulnerability, such as a time-based blind SQL injection payload that uses SQL injection techniques to extract information from the database.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, implement strict input validation and filtering for user inputs, particularly for the 'number' parameter. Regular security audits and minimizing database user permissions can also help mitigate such vulnerabilities.