Code-Projects Human Resource Integrated System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects Human Resource Integrated System version 1.0. The issue arises in the file '/insert-and-view/action.php', where the 'content' parameter is improperly processed, allowing for malicious SQL commands to be executed. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, potentially leading to database manipulation, unauthorized data access, or disruption of database integrity.

Reproduction

To reproduce this vulnerability, navigate to the comment submission form of the application. Intercept the POST request and modify the 'content' parameter with a crafted payload that includes SQL injection syntax, such as SQL commands followed by a comment delimiter. Submit the modified request to execute the injected SQL commands.

Remediation

It is recommended to use parameterized queries or prepared statements to handle SQL queries securely. Transition from deprecated mysql_* functions to mysqli_* or PDO with parameterized queries. Implement strict input validation and sanitization, and limit database user privileges according to the principle of least privilege.