Gosaliajainam Online Movie Booking SQL Injection Vulnerability in Movie Details PHP

A SQL injection vulnerability has been identified in the online-movie-booking application, version 5.5. The issue resides in the movie_details.php file, where improper input validation allows unauthenticated attackers to manipulate SQL queries and extract sensitive information from the database. This could include administrative data such as email addresses and passwords, potentially leading to a full compromise of admin accounts.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could result in unauthorized data access, such as retrieving sensitive information from the database, and could potentially lead to a complete compromise of administrative accounts.

Reproduction

To reproduce this vulnerability, send a request to the movie_details.php file with a crafted 'pass' parameter that exploits the SQL injection flaw. This can be done using a local server environment with the online-movie-booking application installed. The vulnerability can be demonstrated by extracting sensitive administrator information from the database, such as email addresses and passwords.