Campcodes Sales and Inventory System SQL Injection Vulnerability in Category Addition Page

A critical SQL injection vulnerability has been identified in Campcodes Sales and Inventory System version 1.0. The issue arises in the file '/pages/cat_add.php', where the 'category' parameter is processed without proper input validation or sanitization. This flaw allows attackers to inject malicious SQL code, manipulating the database query to perform unauthorized actions. The vulnerability can be exploited remotely, without any authentication.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized database access, data manipulation, and disclosure of sensitive information.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/pages/cat_add.php' with a crafted 'category' parameter that includes SQL injection payloads. This can be done using tools like Burp Suite or by manually crafting the request with the desired SQL injection vector.

Remediation

It is recommended to implement input validation and use prepared statements to prevent SQL injection. Regular security audits can also help identify and address such vulnerabilities.