TrippWasTaken PHP-Guitar-Shop SQL Injection Vulnerability in Product Details Page

A SQL injection vulnerability has been identified in TrippWasTaken PHP-Guitar-Shop versions prior to 6ce0868889617c1975982aae6df8e49555d0d555. The issue arises in the Product Details Page component, specifically within the /product.php file. The vulnerability allows remote attackers to manipulate the ID parameter, leading to unauthorized database access and information disclosure. This vulnerability has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the /product.php page with a crafted ID parameter that exploits the SQL injection flaw. The absence of authentication requirements allows this attack to be executed by any user.