itsourcecode Insurance Management System SQL Injection Vulnerability in insertNominee.php

A critical SQL injection vulnerability has been identified in the itsourcecode Insurance Management System version 1.0. The issue resides in the insertNominee.php file, where the nominee_id parameter is manipulated to execute unauthorized SQL commands. This vulnerability can be exploited remotely, but requires authentication with valid credentials. Once logged in, attackers can inject malicious SQL through the nominee_id parameter, leading to unauthorized database access and potential data manipulation.

Impact

Exploitation of this vulnerability allows for SQL injection, which could result in unauthorized database access, data leakage, data manipulation, and in some cases, remote code execution.

Reproduction

To reproduce this vulnerability, log into the application with valid credentials. After obtaining a session cookie, send a POST request to the insertNominee.php file with the nominee_id parameter manipulated to include a crafted SQL payload. This can be done using a tool like sqlmap, which automates the injection process and exploits the vulnerability.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure user input conforms to expected formats. Minimizing database user permissions and conducting regular security audits can also help mitigate such vulnerabilities.