itsourcecode COVID Tracking System SQL Injection Vulnerability in Admin Login Component

A SQL injection vulnerability has been identified in the itsourcecode COVID Tracking System version 1.0. The issue resides in the Admin Login component, specifically within the '/admin/login.php' file. The vulnerability is triggered by manipulating the 'username' parameter, allowing attackers to inject malicious SQL queries. This exploitation can be done remotely and without any authentication.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized database access, data manipulation, and access to sensitive information. Such actions could disrupt services and compromise overall system security.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/cts/classes/Login.php?f=login' with an injected payload in the 'username' parameter. This payload should be crafted to exploit the SQL injection vulnerability, such as by using a time-based blind SQL injection technique that leverages SQL commands like 'SLEEP' to demonstrate the injection's effectiveness.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.