CodeAstro Real Estate Management System SQL Injection Vulnerability in Administrator Endpoint
Vulnerability
A SQL injection vulnerability has been identified in CodeAstro Real Estate Management System version 1.0. The issue resides in the administrator endpoint '/admin/userbuilderdelete.php', where user-supplied input is not properly sanitized before being used in SQL queries. This flaw allows remote attackers to manipulate SQL logic, potentially leading to unauthorized data access or deletion of records from the 'user' table.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could result in reading sensitive data from the database, modifying database contents, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, an authenticated user must send a request to the '/admin/userbuilderdelete.php' endpoint with a crafted 'id' parameter. This can be done using a tool like SQLMap, which automates the process of exploiting SQL injection vulnerabilities.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.