Campcodes Advanced Online Voting System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Campcodes Advanced Online Voting System version 1.0. The issue resides in the file '/admin/voters_delete.php', where insufficient validation of the 'id' parameter allows attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, requiring authentication to access the vulnerable page.

Impact

Exploitation of this vulnerability allows unauthorized database access, manipulation of data, and potential disruption of services.

Reproduction

To reproduce this vulnerability, authenticate to the application to obtain a valid PHP session ID. Then, send a POST request to '/admin/voters_delete.php' with the 'delete' parameter set to '1' and the 'id' parameter crafted to include the SQL injection payload. The injection can be verified by observing the application's response or by using a tool like sqlmap to automate the exploitation.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.