ashraf-kabir Travel Agency SQL Injection Vulnerability in Search Component

A SQL injection vulnerability has been identified in the ashraf-kabir travel agency application, specifically in the Search component's results.php file. This vulnerability arises from the user_query parameter, which is directly concatenated into SQL query statements without proper sanitization. As a result, attackers can manipulate the user_query input to alter SQL query execution and potentially execute unauthorized database operations. The vulnerability affects the application version up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the results.php file with a crafted user_query parameter that includes SQL injection payloads. The lack of input validation will allow the injected SQL code to be executed by the database, manipulating the query logic and potentially exposing or altering database information.