Campcodes Advanced Online Voting System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Campcodes Advanced Online Voting System version 1.0. The issue resides in the '/index.php' file, where the 'voter' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, bypassing authentication requirements.

Impact

Exploitation of this vulnerability allows unauthorized access to the application's database, where attackers can manipulate, delete, or exfiltrate sensitive data. Additionally, such access could be leveraged to gain control over the application server, potentially disrupting services.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/votesystem/login.php' with the 'voter' parameter. The request must include a crafted SQL payload that exploits the time-based blind SQL injection vulnerability, such as one that uses the 'SLEEP' function to introduce a delay, indicating successful injection.

Remediation

To address this vulnerability, developers should implement prepared statements and parameter binding to separate SQL code from user input, conduct thorough input validation and filtering, and minimize database user permissions to the least required.