SourceCodester Simple Company Website SQL Injection Vulnerability in Admin Panel

A critical SQL injection vulnerability has been identified in SourceCodester Simple Company Website version 1.0. The issue arises in the admin panel, specifically within the file '/admin/services/manage.php'. The vulnerability is triggered by manipulating the 'id' parameter, which allows attackers to inject malicious SQL queries. This injection can be exploited remotely, but requires authentication to the backend system.

Impact

Exploitation of this vulnerability allows unauthorized access to the database, where attackers can read, modify, or delete data. Additionally, it could lead to unauthorized access to sensitive information and disrupt normal service operations.

Reproduction

To reproduce this vulnerability, log into the admin panel of the affected website using the default credentials (admin/admin123). Once authenticated, navigate to the 'services/manage' page. The vulnerability can be exploited by injecting SQL payloads into the 'id' parameter of the request. This can be done manually or using an automated tool like sqlmap, which can exploit the vulnerability and extract data from the database.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Input validation and filtering should be implemented to ensure user input conforms to expected formats. Additionally, minimize database user permissions and conduct regular security audits.