Code-Projects Real Estate Property Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects Real Estate Property Management System version 1.0. The issue resides in the InsertCustomer.php file within the Parameter Handler component. The vulnerability allows remote attackers to manipulate several input fields, including txtName, txtAddress, cmbCity, txtEmail, cmbGender, txtBirthDate, txtUserName2, and txtPassword2, leading to unauthorized SQL command execution. This exploitation could result in unauthorized access to sensitive database information.

Impact

Exploitation of this vulnerability allows for unrestricted SQL injection, enabling attackers to execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server under the database application's privileges.

Reproduction

To reproduce this vulnerability, send a request to the InsertCustomer.php file with crafted input that manipulates the vulnerable parameters. The SQL injection can be exploited by injecting SQL payloads into the specified fields, which are then executed by the application's database engine without proper sanitization.