SourceCodester Patients Waiting Area Queue Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Patients Waiting Area Queue Management System version 1.0. The issue resides in the 'php/api_patient_schedule.php' file, where the 'appointmentID' parameter can be manipulated to execute arbitrary SQL commands. This vulnerability allows attackers to extract data from the database, potentially leading to unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability allows for remote SQL injection, enabling attackers to execute arbitrary SQL commands and manipulate the database. In the context of this application, it could involve extracting sensitive information such as user credentials or other personal data stored in the database.

Reproduction

To reproduce this vulnerability, register a new user account through the 'php/api_register_staff.php' endpoint. After logging in with the registered account, send a GET request to 'php/api_patient_schedule.php' with a crafted 'appointmentID' parameter that includes SQL injection payloads, such as UNION SELECT statements. The response will reveal the success of the injection by returning database contents, such as information from the 'staff' table.