SourceCodester Client Database Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester Client Database Management System version 1.0. The issue resides in the file '/user_void_transaction.php', where the 'order_id' parameter is manipulated to inject malicious SQL code. This vulnerability allows remote attackers to execute unauthorized SQL commands, potentially leading to unauthorized database access, data manipulation, and exploitation of the underlying system.

Impact

Exploitation of this vulnerability allows for SQL injection, with potential consequences including unauthorized database access, data leakage, data manipulation, and execution of arbitrary code on the server, according to the vulnerability disclosure.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/cdm/user_void_transaction.php' with an 'order_id' parameter that includes a crafted SQL payload. This payload should exploit the application's SQL query handling by injecting malicious SQL code that is executed by the database.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.