SourceCodester Online Employees Work From Home Attendance System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Online Employees Work From Home Attendance System version 1.0. The issue resides in the file 'attendance_list.php' within the 'admin' directory. The vulnerability allows attackers to manipulate SQL queries by injecting malicious payloads, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, navigate to the 'attendance_list.php' file in the 'admin' directory. The vulnerability can be exploited by sending a GET request with the 'page', 'employee_id', 'date_start', and 'date_end' parameters. Inject a SQL payload into the 'date_end' parameter, such as a UNION SELECT statement, to exploit the SQL injection flaw. The injected SQL payload will be executed by the application's database, allowing the attacker to manipulate or access sensitive data.