SourceCodester COVID-19 Testing Management System SQL Injection Vulnerability in Phlebotomist Edit File

A SQL injection vulnerability has been identified in SourceCodester's COVID-19 Testing Management System version 1.0. The issue arises in the '/edit-phlebotomist.php' file, where the 'mobilenumber' parameter is improperly validated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without authentication, potentially leading to unauthorized database access, data manipulation, and disruption of service.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to the '/edit-phlebotomist.php' file with an injected payload in the 'mobilenumber' parameter. The injection can be crafted to exploit time-based blind SQL injection techniques, such as using 'AND (SELECT sleep(5))' to test for vulnerability.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.