itsourcecode Agri-Trading Online Shopping System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Agri-Trading Online Shopping System version 1.0. The issue resides in the admin/productcontroller.php file, specifically within the HTTP POST request handler. The vulnerability arises because the application does not properly sanitize user input in the product parameter, allowing remote attackers to manipulate the input and execute arbitrary SQL commands. Additionally, this endpoint lacks session validation, enabling attackers to bypass authentication and access sensitive database information or modify product records without authorization.

Impact

Exploitation of this vulnerability allows for unauthorized database access, where attackers can exfiltrate sensitive data, tamper with information, and gain unauthorized control over administrative functions. Such actions not only compromise the integrity of the system but also disrupt services, posing a significant risk to overall business operations.

Reproduction

To reproduce this vulnerability, send a POST request to the admin/productcontroller.php file with a crafted product parameter that includes malicious SQL payloads. The request must also include other required parameters such as code, quantity, price, markup, user, date, category, supplier, and submit. The absence of authentication checks on this endpoint will allow the exploitation to succeed.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.