Apartment Visitors Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Apartment Visitors Management System (AVMS) version 1.1. The issue resides in the login page (index.php), specifically within the username parameter. This vulnerability allows an unauthenticated attacker to manipulate SQL queries during the authentication process, potentially leading to unauthorized access to sensitive database information.

Impact

Exploitation of this vulnerability could result in unauthorized access to the database, allowing attackers to extract sensitive information.

Reproduction

To reproduce this vulnerability, send a crafted SQL injection payload through the username parameter on the login page. The application does not properly sanitize input, allowing the injected SQL to be executed against the database. This can be validated using tools like Burp Suite or SQLmap.

Remediation

It is recommended to use prepared statements to prevent SQL injection vulnerabilities. Additionally, all user inputs should be validated and sanitized before processing.