SourceCodester Web-Based Pharmacy Product Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester Web-Based Pharmacy Product Management System version 1.0. The issue arises in the Login Handler component, where the login_email parameter is manipulated, allowing attackers to interfere with the application's database queries. This vulnerability can be exploited remotely, potentially leading to unauthorized access to sensitive database information, including user passwords, and could allow for data manipulation or corruption.

Impact

Exploitation of this vulnerability could result in unauthorized access to database information, exposure of sensitive user data such as passwords, and potential corruption or manipulation of database records.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'add-admin.php' page. During the process of adding a new admin, inject a SQL payload into the 'email' field that exploits the SQL injection vulnerability. Once the payload is submitted, the application will execute the injected SQL code, bypassing normal query parameters and potentially exposing or manipulating database information.

Remediation

It is recommended to implement prepared statements to prevent SQL injection, add input validation to ensure data integrity, and consider using an ORM framework for database operations. Additionally, regular security audits and the implementation of a Web Application Firewall (WAF) can help protect against such vulnerabilities.