Code-Projects Intern Membership Management System SQL Injection Vulnerability in edit_activity.php

A SQL injection vulnerability has been identified in version 1.0 of the Code-Projects Intern Membership Management System. The issue resides in the edit_activity.php file, where the activity_id parameter can be manipulated to execute unauthorized SQL commands. This vulnerability allows attackers to access sensitive information from the database. The exploitation can be performed remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the edit_activity.php file with a crafted activity_id parameter. The request should include the necessary headers to mimic a standard browser request, such as User-Agent and Accept-Language. Once the request is sent, the application may return database information or behave unexpectedly, indicating that the SQL injection was successful.