Code-Projects Employee Profile Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Code-Projects Employee Profile Management System version 1.0. The issue arises in the file '/view_personnel.php', where user-controlled input in the 'per_id' parameter is not properly sanitized before being used in SQL queries. This flaw allows remote attackers to manipulate the parameter and inject arbitrary SQL, potentially leading to unauthorized data access or modification. The vulnerability has been publicly disclosed and is exploitable.

Impact

Exploitation of this vulnerability allows attackers to bypass access controls, retrieve all personnel data, read sensitive HR records, modify or delete arbitrary database entries, and potentially achieve full system compromise if SQL functions or file writes are permitted.

Reproduction

To reproduce this vulnerability, navigate to a vulnerable page such as 'view_personnel.php' and inject a SQL payload into the 'per_id' parameter. After submitting the modified request, the response will reveal multiple personnel records instead of just one. This vulnerability can also be tested on deletion endpoints, such as 'delete_department.php', by injecting a payload that exploits the SQL injection flaw and causes a mass-delete operation.

Remediation

It is recommended to use parameterized queries properly by replacing unsafe concatenation of user-controlled parameters into SQL strings with safe parameter binding. Additionally, all external input should be validated to enforce integer-only checks for relevant IDs and whitelist allowed formats for other parameters.