Code-Projects Nero Social Networking Site SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects Nero Social Networking Site version 1.0. The issue arises in the index.php file, where user-supplied input in several parameters, including fname, lname, login, password2, cpassword, address, cnumber, email, gender, propic, and month, is not properly sanitized. This lack of input validation allows for the manipulation of SQL queries, potentially leading to unauthorized data access or modification. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to the index.php file with crafted payloads in the vulnerable parameters. The payloads should be designed to exploit the SQL injection vulnerability, such as by injecting SQL commands that could be executed by the database.