SourceCodester Health Center Patient Record Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester Health Center Patient Record Management System version 1.0. The issue resides in the admin/admin.php file, where the Username parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to access and manipulate the database without authorization.

Impact

Exploitation of this vulnerability could lead to unauthorized database access, data modification or deletion, leakage of sensitive information, and potential disruption of services.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /admin/admin.php file with crafted payloads that exploit the SQL injection flaw in the Username parameter. This can be done using tools like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

To address this vulnerability, it is recommended to implement prepared statements and parameter binding to prevent SQL injection, conduct thorough input validation and filtering, and minimize database user permissions.