Code-Projects News-Buzz Content Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects News-Buzz version 1.0, specifically within the file /admin/users.php. The vulnerability arises from the improper handling of the 'change_to_admin' parameter, allowing remote attackers to manipulate the input and execute malicious SQL commands. This issue has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /admin/users.php file with the 'change_to_admin' parameter. The request should include a payload that exploits the SQL injection vulnerability, such as an error-based or time-based blind SQL injection payload. This can be done using a tool like SQLMap, which automates the process of finding and exploiting SQL injection vulnerabilities.