Project Worlds Car Rental SQL Injection Vulnerability in Approve.php

A critical SQL injection vulnerability has been identified in Project Worlds Car Rental Project version 1.0. The issue resides in the file /admin/approve.php, where the 'id' parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to access and manipulate the database without authorization. The lack of proper input validation and sanitization enables the injection of harmful SQL code, which could lead to unauthorized data access, modification, or deletion.

Impact

Exploitation of this vulnerability allows for unauthorized database access, data manipulation, and potential disruption of services. It poses a significant threat to system security and data integrity.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /admin/approve.php file with a crafted 'id' parameter that includes malicious SQL payloads. The injection can be verified by using a time-based blind SQL injection technique, such as adding a payload that makes the database wait for a few seconds before responding.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input meets expected formats, blocking malicious data. Finally, database user permissions should be minimized, ensuring that accounts used for database connections have only the necessary privileges.