SourceCodester Company Website CMS SQL Injection Vulnerability in Admin Index PHP File

A SQL injection vulnerability has been identified in SourceCodester Company Website CMS version 1.0. The issue resides in the admin/index.php file, where the Username parameter is manipulated to inject malicious SQL queries. This vulnerability allows remote exploitation without the need for authentication, potentially leading to unauthorized access to the database, data modification or deletion, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, bypass authentication, access, modify or delete database information, and in some cases, execute administrative operations or commands on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the admin/index.php file with a crafted payload that exploits the SQL injection vulnerability in the Username parameter. The injection can be verified by using payloads that trigger SQL errors or by extracting database information through SQL injection techniques.

Remediation

It is recommended to validate and sanitize user inputs, use prepared statements to prevent SQL injection, and apply the principle of least privilege to database user accounts.