SourceCodester Advanced School Management System SQL Injection Vulnerability in Vendordetails Endpoint

A SQL injection vulnerability has been identified in SourceCodester Advanced School Management System version 1.0. The issue arises in the vendordetails endpoint of the stock management feature, where the 'id' GET parameter is not properly sanitized before being used in SQL queries. This vulnerability allows authenticated attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, where an attacker can interfere with the application's database queries. This could result in unauthorized data extraction, modification, or other malicious database actions.

Reproduction

To reproduce this vulnerability, log into the application with valid credentials. Then, send a request to the '/index.php/stock/vendordetails' endpoint with a crafted 'id' parameter that includes malicious SQL code. The injection can be verified by observing the application's response, which may indicate successful exploitation, such as a delay in response time when using time-based payloads.

Remediation

Developers are advised to use prepared statements with parameterized queries to prevent SQL injection. Additionally, strict input validation should be implemented to ensure that user-supplied data is properly sanitized before being used in SQL queries. Applying the principle of least privilege to database user accounts and implementing a web application firewall can also help mitigate the risk.