SourceCodester Survey Application System SQL Injection Vulnerability in view_survey.php

A time-based blind SQL injection vulnerability has been identified in SourceCodester Survey Application System version 1.0. The issue arises in the file view_survey.php, where the application improperly sanitizes the id parameter in the SQL query. This flaw allows remote, unauthenticated attackers to inject SQL that creates delays on the database server, enabling them to infer database responses. The vulnerability is classified under CWE-89, Improper Neutralization of Special Elements used in an SQL Command.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can extract sensitive data from the database by inducing delays in the database response. This type of SQL injection can be particularly dangerous as it exploits the application's database interaction without leaving visible traces.

Reproduction

To reproduce this vulnerability, send a GET request to view_survey.php with a crafted id parameter that includes a SQL injection payload. The payload should be designed to exploit the application's SQL query handling, such as by injecting SQL that causes a delay in the response, indicating successful exploitation.