indieka900 Online Shopping System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in version 1.0 of the indieka900 Online Shopping System PHP application. The issue resides in the login.php file, specifically within the password parameter. This vulnerability allows attackers to inject arbitrary SQL commands, which could be exploited using time-based blind SQL injection techniques to manipulate or enumerate the backend database.

Impact

Exploitation of this vulnerability could lead to unauthorized database access, allowing attackers to read, write, or delete database information. It could also enable database enumeration, unauthorized access to sensitive information, authentication bypass, account takeover, and potentially code execution, depending on the database management system configuration.

Remediation

To address this vulnerability, it is recommended to use parameterized queries and prepared statements to prevent SQL injection. Additionally, implement strict server-side input validation, enforce the principle of least privilege for the database account, regularly patch and update the application and its dependencies, and ensure that user input, especially passwords, is sanitized and validated before being processed in SQL queries.