SourceCodester Online Bank Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Online Bank Management System version 1.0. The issue arises in the '/bank/mnotice.php' file, where the 'id' parameter is not properly sanitized, allowing remote attackers to manipulate SQL queries and potentially access sensitive database information. This vulnerability can be exploited without authentication and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows unauthorized access to the database, leading to potential data leakage, data manipulation, and in some cases, unauthorized control over the system or disruption of services.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/bank/mnotice.php' with a crafted 'id' parameter that includes SQL injection payloads. The injection can be verified by using a payload that, for example, causes a time delay in the response, indicating that the injected SQL command was executed by the database.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.