Slims SQL Injection Vulnerability in Author Management Module

A SQL injection vulnerability has been identified in Slims (Senayan Library Management Systems) version 9 Bulian 9.6.1. The issue resides in the author management module, specifically within the 'admin/modules/master_file/author.php' file. The vulnerability is caused by inadequate sanitization of user inputs, allowing attackers to inject malicious SQL payloads that could manipulate the application's database queries.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, intercept a request to 'admin/modules/master_file/author.php' and modify the 'fld' parameter to inject SQL code. After sending the request, the response will indicate whether the injection was successful, such as a delayed response when using time-based payloads. This vulnerability can also be tested with SQL injection tools like 'sqlmap'.

Remediation

To address this vulnerability, it is recommended to use prepared statements or parameterized queries to handle SQL operations, ensuring that user inputs are properly validated and sanitized before being incorporated into database queries.