FeMiner WMS SQL Injection Vulnerability in chkuser.php

A SQL injection vulnerability has been identified in the FeMiner Warehouse Management System (WMS) version 1.0, specifically in the file '/src/chkuser.php'. This vulnerability arises from inadequate input validation of the 'username' parameter, allowing remote attackers to inject malicious SQL queries. The exploitation of this vulnerability could lead to unauthorized database access, manipulation of data, and disruption of services.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL, potentially bypassing authentication and manipulating or accessing sensitive database information such as user credentials and business data.

Reproduction

To reproduce this vulnerability, send a POST request to '/src/chkuser.php' with an injected payload in the 'username' parameter. The injection can be crafted to exploit the SQL query handling of the application. This vulnerability can be automated using SQLMap by placing the request details in a file and using SQLMap's command-line options to target the injection.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.