Code-Projects Online Job Search Engine SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Code-Projects Online Job Search Engine version 1.0. The issue resides in the login.php file, specifically within the username parameter. The vulnerability allows remote attackers to manipulate SQL queries, potentially leading to unauthorized data access, authentication bypass, or denial-of-service conditions. This vulnerability arises from inadequate input sanitization, as the application relies on outdated PHP MySQL functions and an insufficient escaping method that fails to fully protect against SQL injection attacks.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, which could result in data exfiltration, bypassing authentication mechanisms, or causing a denial-of-service condition on the application.

Reproduction

To reproduce this vulnerability, navigate to the login page and enter a crafted payload in the username field that exploits the SQL injection flaw, such as 'admin' AND SLEEP(5)-- -'. After submitting the form, the server response will be delayed by 5 seconds, indicating successful exploitation.