SourceCodester Online Bank Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Online Bank Management System version 1.0. The issue arises in the '/bank/show.php' file, where the 'id' parameter is not properly validated, allowing attackers to manipulate SQL queries and potentially access sensitive database information. This vulnerability can be exploited remotely without authentication.

Impact

Exploitation of this vulnerability allows for unauthorized access to the database, leading to the disclosure of sensitive information, data manipulation, and in some cases, complete control over the system. Additionally, it could cause interruptions in service.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/bank/show.php' endpoint with a crafted 'id' parameter. The payload should include SQL injection techniques, such as union-based injections or time-based blind injections, to exploit the vulnerability. This can be done using tools like SQLMap.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.