Code-Projects E-Banking System SQL Injection Vulnerability in register.php

A SQL injection vulnerability has been identified in Code-Projects E-Banking System version 1.0. The issue resides in the register.php file, specifically within the POST parameter handler. The vulnerability allows remote, unauthenticated attackers to manipulate the username and password parameters, injecting malicious SQL that is executed by the database. This flaw arises because user input is directly concatenated into SQL queries without proper sanitization or parameterization, enabling attackers to execute arbitrary SQL commands. The vulnerability has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can execute arbitrary SQL commands on the database. This could lead to unauthorized data access, modification, or other high-impact actions, depending on the database privileges of the application.

Reproduction

To reproduce this vulnerability, access the registration page of the application. In the username field, enter a payload that includes a SQL injection, such as one that uses the SQL 'SLEEP' function to create a delay in the server response. Fill in the password field with any value and submit the form. If the server response is delayed by approximately five seconds, this indicates that the SQL injection was successful.

Remediation

It is recommended to use prepared statements or an Object-Relational Mapping (ORM) tool to handle database interactions, which can prevent SQL injection vulnerabilities by properly escaping user input. Additionally, implement strong input validation to ensure that only expected data is accepted. For secure password storage, use PHP's password_hash() function.