Code-Projects Refugee Food Management System SQL Injection Vulnerability

A SQL injection vulnerability exists in version 1.0 of the Code-Projects Refugee Food Management System. The issue is located in the 'pagenateRefugeesList.php' file, where the 'rfid' parameter can be manipulated to inject malicious SQL code. This vulnerability allows attackers to interfere with SQL queries, potentially leading to unauthorized data access or modification. The flaw can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized SQL command execution, which could lead to unauthorized data access, data manipulation, or potentially full system control.

Reproduction

The vulnerability can be reproduced by sending a GET request to 'pagenateRefugeesList.php' with a crafted 'rfid' parameter that includes SQL injection payloads. This can be done manually or using automated tools like sqlmap, which can exploit the vulnerability and extract database information.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input meets expected formats, blocking malicious data. Finally, database user permissions should be minimized, ensuring that accounts used for database connections have only the necessary privileges.