SourceCodester Interview Management System SQL Injection Vulnerability in addCandidate.php

A SQL injection vulnerability has been identified in the SourceCodester Interview Management System, specifically in version 1.0, within the addCandidate.php file. The issue arises from inadequate input validation of the candName parameter, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized database access, data manipulation, and exposure of sensitive information. Additionally, the system's error handling in response to invalid data types in the cand_age field discloses internal information through uncaught PDO exceptions, further highlighting the need for immediate remediation.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries and access, modify, or delete database information. The vulnerability also causes information disclosure through detailed error messages that reveal sensitive system information.

Reproduction

To reproduce this vulnerability, send a POST request to the /interview/addCandidate.php endpoint. Include the candName parameter with a crafted SQL injection payload, such as 'test' OR '1'='1', along with other required candidate information. The injection will be executed due to the lack of proper input sanitization, allowing for unauthorized SQL query manipulation.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, conduct regular security audits, and improve error handling to avoid disclosing sensitive information.