Bdtask Wholesale Inventory Control and Inventory Management System SQL Injection Vulnerability in Profile Editing Function

A critical SQL injection vulnerability has been identified in Bdtask Wholesale Inventory Control and Inventory Management System, affecting versions prior to 2025-10-13. The issue arises in the profile editing feature, specifically within the 'first_name' and 'last_name' parameters of the '/Admin_dashboard/edit_profile' file. This vulnerability allows authenticated attackers to inject malicious SQL commands, which can be exploited to exfiltrate database information through error messages. The application improperly sanitizes user input before incorporating it into SQL queries, creating an opportunity for injection attacks.

Impact

Exploitation of this vulnerability could lead to a full database compromise, allowing attackers to read, modify, or delete any data. Sensitive information such as administrator credentials, user details, inventory records, and sales data could be exposed. Additionally, the vulnerability might be used to bypass authentication by extracting user password hashes, potentially leading to account takeovers. In some database configurations, this SQL injection could be escalated to achieve remote code execution on the server.

Reproduction

To reproduce this vulnerability, log into the administrator panel and navigate to the 'Edit Profile' page. In the 'Last name' field, enter a payload that exploits the SQL injection vulnerability, such as one that uses the 'EXTRACTVALUE' function to extract database information. Submit the form, and the application will display a database error message revealing the injected data, confirming the successful exploitation of the vulnerability.

Remediation

It is recommended to use parameterized queries or prepared statements to prevent SQL injection vulnerabilities. Additionally, input validation and sanitization should be implemented to ensure that user input is properly checked before being used in SQL commands.