SourceCodester Web-Based Pharmacy Product Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester Web-Based Pharmacy Product Management System version 1.0. The issue arises in the file edit-product.php, where user input is directly concatenated into SQL query strings without proper validation or sanitization. This flaw allows attackers to manipulate SQL queries, potentially leading to unauthorized access to database information, exposure of sensitive data such as user passwords, and possible data corruption or manipulation.

Impact

Exploitation of this vulnerability allows for complete database access, including sensitive personal information. It could also lead to unauthorized administrative access and the installation of persistent backdoors.

Reproduction

To reproduce this vulnerability, send a request to the edit-product.php file with a crafted ID parameter that includes SQL injection payloads. The injected SQL code will be executed by the application, allowing the attacker to manipulate the SQL query and access or modify database information.

Remediation

Users are advised to update to the latest version of the SourceCodester Web-Based Pharmacy Product Management System, if available. Additionally, implement input validation and use prepared statements for database queries to prevent SQL injection attacks.