Code-Projects Medical Store Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in version 1.0 of the Code-Projects Medical Store Management System. The issue arises in the ChangePassword.java file, where insufficient input validation of the newPassTxt parameter allows for the injection of malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized database access, data manipulation, and potential leakage of sensitive information.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and manipulating database operations. This could result in unauthorized access to sensitive data, modification or deletion of database records, and in some cases, execution of administrative operations within the application.

Reproduction

To reproduce this vulnerability, send a request to the ChangePassword function with a crafted payload in the newPassTxt parameter that includes SQL injection syntax. The application will respond with a database error, indicating that the injection was successful. After confirming the injection, the payload can be modified to exploit the vulnerability, such as by injecting SQL commands to manipulate user passwords.