Code-Projects Online Product Reservation System SQL Injection Vulnerability in Administrator Login

A critical SQL injection vulnerability has been identified in Code-Projects Online Product Reservation System version 1.0. The issue resides in the administrator login file 'adminlogin.php', where user input from the 'emailadd' and 'pass' fields is directly concatenated into SQL queries without proper validation or parameterization. This flaw allows attackers to manipulate the input and execute arbitrary SQL commands, potentially bypassing authentication altogether. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, which can be used to manipulate the application's database. In this case, it could lead to bypassing authentication by extracting admin credentials from the database.

Reproduction

To reproduce this vulnerability, send a POST request to 'handgunner-administrator/adminlogin.php' with the 'emailadd' and 'pass' fields. The absence of input validation will allow for SQL injection by manipulating the input to alter the SQL query execution.