Yousaf530 Inferno Online Clothing Store SQL Injection Vulnerability in log.php

A SQL injection vulnerability has been identified in Yousaf530 Inferno Online Clothing Store versions prior to 827dd42bfbe380e8de76fdc67958c24cf1246208. The issue arises in the log.php file, where user input for the 'cemail' and 'password' arguments is improperly sanitized before being incorporated into SQL queries. This flaw allows remote attackers to manipulate the input and execute arbitrary SQL commands, potentially leading to unauthorized access or data manipulation. Exploitation of this vulnerability is straightforward, as it does not require authentication.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the '/log.php' endpoint with crafted 'cemail' and 'password' parameters. The 'password' parameter should include a payload that exploits the SQL query handling, such as bypassing authentication checks. This can be done by entering a value that manipulates the SQL query logic, such as 'or'1'='1'.