Code-Projects Inventory Management System SQL Injection Vulnerability in CreateOrder.php

A critical SQL injection vulnerability has been identified in version 1.0 of the Code-Projects Inventory Management System. The issue resides in the file '/php_action/createOrder.php', where user input from the 'Array-like #4*' parameter is not properly validated. This lack of input sanitization allows attackers to inject malicious SQL queries, potentially leading to unauthorized database access, data manipulation, and exposure of sensitive information. Notably, this vulnerability can be exploited remotely without any authentication.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, leading to unauthorized access to the database, manipulation or deletion of data, and potential exposure of sensitive information. Such actions could disrupt normal system operations and compromise overall data integrity.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'createOrder.php' with crafted payloads that exploit the SQL injection flaw. This can be done using tools like sqlmap, which automate the injection process and demonstrate the vulnerability by extracting database information or executing arbitrary SQL commands.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, user input should be validated and filtered to ensure it meets expected formats. Minimizing database user permissions and conducting regular security audits can further enhance system security.