SourceCodester Online Food Ordering System SQL Injection Vulnerability in Product Management

A SQL injection vulnerability has been identified in SourceCodester Online Food Ordering System version 1.0. The issue resides in the product management component, specifically within the admin/manage_product.php file. The vulnerability is triggered through the 'id' parameter in the HTTP GET request, allowing authenticated attackers to inject arbitrary SQL commands. This exploitation can lead to unauthorized data access, including sensitive information such as administrator credentials, by leveraging UNION-based injection techniques.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to exfiltrate database contents, including user, order, and product information. Additionally, this vulnerability could be used to compromise the application by accessing and manipulating sensitive data or administrative credentials.

Reproduction

To reproduce this vulnerability, deploy the Online Food Ordering System locally and log in as an administrator. The 'id' parameter in the 'admin/manage_product.php' file can be manipulated to inject SQL payloads. This vulnerability can be exploited manually or by using automated tools like SQLMap, which can exploit the vulnerability and extract data from the database.