Code-Projects Currency Exchange System SQL Injection Vulnerability in edittrns.php

A SQL injection vulnerability has been identified in Code-Projects Currency Exchange System version 1.0. The issue arises in the file edittrns.php, where user-supplied input in the ID parameter is not properly sanitized before being included in SQL queries. This flaw allows remote attackers to inject malicious SQL code, potentially leading to unauthorized database access, data manipulation or destruction, and in severe cases, system-level control.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could result in unauthorized access to database information, such as user data or application records, the ability to modify or delete database entries, and in critical situations, gaining control over the underlying system.

Reproduction

The vulnerability can be reproduced by sending a GET request to the edittrns.php file with a crafted ID parameter that includes SQL injection payloads. This can be done manually or using automated tools like sqlmap, which can exploit the vulnerability and demonstrate its impact, such as extracting database information.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding for database queries in the affected PHP file. Additionally, implement strict input validation to ensure that parameters like ID are numeric and conform to expected formats. Minimizing database user permissions and conducting regular security audits can further enhance the application's security.