SourceCodester Hotel Reservation System SQL Injection Vulnerability in UpdateAbout.php

A SQL injection vulnerability has been identified in SourceCodester Hotel Reservation System version 1.0. The issue resides in the admin/updateabout.php file, where the address parameter is manipulated, allowing for arbitrary SQL code execution. This vulnerability can be exploited remotely, without authentication.

Impact

Exploitation of this vulnerability allows attackers to inject arbitrary SQL commands, potentially leading to unauthorized database access, data manipulation, and control over the application environment.

Reproduction

The vulnerability can be reproduced by sending a POST request to the admin/updateabout.php file with a crafted address parameter that includes SQL injection payloads. This can be done using tools like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

It is recommended to use prepared statements and parameterized queries to prevent SQL injection. Additionally, input validation and sanitization should be implemented to ensure that only expected data is processed. Regular security audits and updating deprecated libraries can also help mitigate such vulnerabilities.