jimit105 Project-Online-Shopping-Website SQL Injection Vulnerability in Product Inventory Handler

A SQL injection vulnerability has been identified in the jimit105 Project-Online-Shopping-Website, specifically in the Product Inventory Handler component. This issue affects versions of the project prior to the commit 7d892f442bd8a96dd242dbe2b9bd5ed641e13e64. The vulnerability arises in the /delete.php file, where the product_code parameter is manipulated, allowing for SQL injection. The flaw can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, download the Project-Online-Shopping-Website from GitHub and set it up. Once the application is running, navigate to the delete.php file in the Product Inventory section. Enter a crafted product_code value that exploits the SQL injection vulnerability, such as 'OR '1'='1'. Upon submission, the application will delete all products from the inventory, confirming the successful exploitation of the vulnerability.