Chaitak-Gorai Blogbook SQL Injection Vulnerability in Edit Post Parameter

A critical SQL injection vulnerability has been identified in the Chaitak-Gorai Blogbook application, specifically in versions up to commit 92f5cf90f8a7e6566b576fe0952e14e1c6736513. The issue arises in the file '/admin/includes/edit_post.php', where user-supplied input from the 'edit_post_id' GET parameter is improperly sanitized before being incorporated into SQL queries. This vulnerability allows remote attackers to inject and execute arbitrary SQL commands, potentially leading to unauthorized access to, modification of, or further compromise of the application's database.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command injection, which could be used to manipulate the application's database. This includes unauthorized data access, data modification, or potentially compromising the database server.

Reproduction

To reproduce this vulnerability, send a request to the '/admin/posts.php' endpoint with the 'source' parameter set to 'edit_post' and the 'p_id' parameter crafted to include SQL injection payloads. The injected SQL will be executed in the context of the application's database, allowing for data extraction or manipulation.