SourceCodester Online Bank Management System SQL Injection Vulnerability in feedback.php

A SQL injection vulnerability has been identified in SourceCodester Online Bank Management System version 1.0. The issue arises in the feedback.php file, where the 'msg' parameter is not properly validated or sanitized. This oversight allows attackers to manipulate the input and execute malicious SQL commands, potentially compromising the application's database. The vulnerability can be exploited remotely, without any authentication requirements.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, where attackers can execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server under the database application's privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the feedback.php page with a crafted 'msg' parameter that includes SQL injection payloads. For example, injecting SQL commands that, when executed, could manipulate the database or extract sensitive information. The absence of input validation and the direct execution of user-supplied data in SQL queries are key factors that enable this exploitation.