Indieka900 Online Shopping System PHP SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Indieka900 Online Shopping System PHP application, version 1.0. The issue resides in the 'review_action.php' file, where the 'proId' parameter is vulnerable to injection. This vulnerability allows an unauthenticated attacker to execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability could result in a data breach, allowing attackers to extract sensitive information such as user data, credentials, and payment details. Additionally, it could enable authentication bypass, unauthorized access to administrative functions, and manipulation of critical database records. In certain configurations, this vulnerability could also lead to remote code execution.

Reproduction

To reproduce this vulnerability, send a crafted POST request to 'review_action.php' with a malicious payload in the 'proId' parameter. The injected SQL payload can exploit the application's database query handling, allowing for time-based blind SQL injection attacks.

Remediation

To address this vulnerability, implement input validation for user-supplied data, use parameterized queries to prevent SQL injection, deploy Web Application Firewall rules to block injection attempts, and update the application with the latest security patches.