PHP-MYSQL-User-Login-System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in PHP-MYSQL-User-Login-System version 1.0, specifically in the login.php file. The vulnerability arises because the application fails to properly sanitize user input in the username parameter before incorporating it into SQL queries. This flaw allows unauthenticated users to manipulate SQL commands, bypass authentication, and gain unauthorized administrative access.

Impact

Exploitation of this vulnerability allows for authentication bypass, unauthorized access to admin features, potential data leakage or manipulation through UNION-based SQL injection, and a full compromise of the backend database.

Reproduction

To reproduce this vulnerability, clone the PHP-MYSQL-User-Login-System repository and host it locally using XAMPP or LAMP. Navigate to the login.php page and enter a crafted username that includes SQL injection payloads, such as ' OR '1'='1, along with any value for the password. This will bypass authentication and log in as an admin user.

Remediation

It is recommended to replace dynamic SQL queries with prepared statements, validate and sanitize all user inputs, deploy a Web Application Firewall (WAF) to block known SQL injection patterns, and conduct regular code audits and penetration testing.