itsourcecode COVID Tracking System SQL Injection Vulnerability in Admin User Management Page

A SQL injection vulnerability has been identified in the itsourcecode COVID Tracking System version 1.0. The issue arises in the admin user management page, specifically through the 'username' parameter in multipart form data. This vulnerability allows remote attackers to inject malicious SQL queries, potentially leading to unauthorized database access, data manipulation, and exposure of sensitive information. The vulnerability exists due to inadequate input validation, allowing injected SQL to be executed without proper sanitization.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to gain unauthorized access to the database, modify or delete data, and access sensitive information. This poses a significant risk to the application's data integrity and security.

Reproduction

To reproduce this vulnerability, send a POST request to '/cts/admin/?page=user' with multipart form data. Include a crafted payload in the 'username' parameter that exploits the SQL injection vulnerability, such as a time-based blind SQL injection payload that uses 'SLEEP' to demonstrate the injection.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.