SourceCodester Online Food Ordering System SQL Injection Vulnerability in Product View

A SQL injection vulnerability has been identified in SourceCodester Online Food Ordering System version 1.0. The issue resides in the admin/view_product.php file, where the application fails to properly sanitize the 'id' parameter in the HTTP GET request. This flaw allows authenticated attackers to inject arbitrary SQL commands. Exploitation of this vulnerability could lead to unauthorized data access, including sensitive information such as administrator credentials, which could be displayed on the webpage.

Impact

Successful exploitation allows attackers to retrieve and display database content, including sensitive information such as admin credentials, on the webpage. This could lead to unauthorized access and system compromise.

Reproduction

To reproduce this vulnerability, deploy the Online Food Ordering System locally and log in as an administrator. The 'id' parameter in the 'admin/view_product.php' file can be manipulated to inject SQL commands. This vulnerability can be exploited manually or by using automated tools like 'sqlmap'.