SourceCodester Online Bank Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Online Bank Management System versions through 1.0. The issue arises in the file /bank/statements.php, where the 'email' parameter can be manipulated to execute unauthorized SQL commands. This vulnerability can be exploited remotely without authentication, potentially allowing attackers to access sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, access the /bank/statements.php file without authentication. Once the page is loaded, capture the HTTP request and modify the 'email' parameter to include a crafted SQL payload. The request can then be sent using the POST method. Tools like SQLMap can be used to automate the exploitation process, taking advantage of the SQL injection vulnerability to extract sensitive database information.