Code-Projects Refugee Food Management System SQL Injection Vulnerability

A SQL injection vulnerability exists in Code-Projects Refugee Food Management System version 1.0, specifically within the file '/home/editfood.php'. The vulnerability arises because the application improperly sanitizes user input from the 'a' parameter before incorporating it into SQL queries. This flaw allows attackers to manipulate SQL commands and execute unauthorized actions. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to 'editfood.php' with the 'a' parameter set to a crafted SQL payload. The injected SQL will be executed by the application's database, demonstrating the SQL injection flaw.