pmTicket Project Management Software SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in pmTicket Project Management Software versions prior to 2ef379da2075f4761a2c9029cf91d073474e7486. The issue arises in the 'getUserLanguage' function within 'classes/class.database.php', where the 'user_id' parameter is manipulated, allowing for arbitrary SQL commands to be injected. This vulnerability can be exploited remotely and without authentication, potentially leading to unauthorized access and leakage of sensitive information, such as the admin user's username and password hash.

Impact

Exploitation of this vulnerability allows for unauthenticated SQL injection, enabling attackers to inject and execute arbitrary SQL commands. This could be used to extract sensitive information from the database, such as user credentials, or to manipulate the database in unauthorized ways.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the 'getUserLanguage' function with a 'user_id' parameter that includes malicious SQL payloads. This can be done using a simple Python script that automates the injection process, exploiting the SQL injection vulnerability to extract sensitive information, such as the admin password hash, from the database.