Project Worlds Car Rental SQL Injection Vulnerability in Signup.php

A critical SQL injection vulnerability has been identified in Project Worlds Car Rental Project version 1.0. The issue resides in the signup.php file, where the fname parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, potentially affecting other parameters as well.

Impact

Exploitation of this vulnerability allows unauthorized access to the database, manipulation or deletion of data, leakage of sensitive information, and could disrupt services, posing a significant threat to system security and business operations.

Reproduction

The vulnerability can be reproduced by sending a POST request to signup.php with the fname parameter. Inject a payload that exploits the SQL injection, such as a time-based blind SQL injection payload that uses the SQL SLEEP function to demonstrate the injection's effectiveness.

Remediation

To address this vulnerability, implement prepared statements and parameter binding to separate SQL code from user input. Additionally, conduct thorough input validation and filtering to ensure data conforms to expected formats, and minimize database user permissions to the least required for operations.