SourceCodester Sales and Inventory System SQL Injection Vulnerability in Update Supplier Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the update_supplier.php file, specifically within the HTTP GET request handler. The vulnerability arises because the application does not properly sanitize the 'sid' parameter before using it in SQL queries. This flaw allows authenticated attackers to inject arbitrary SQL commands. Exploitation of this vulnerability could lead to unauthorized access to sensitive database information, as the backend database is MySQL and the injection point supports UNION-based attacks.

Impact

Successful exploitation allows attackers to exfiltrate database information, manipulate database content, and potentially execute administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the application and send a crafted HTTP GET request to 'update_supplier.php' with a payload that injects SQL into the 'sid' parameter. Alternatively, use SQLMap to automate the exploitation.