SourceCodester Sales and Inventory System SQL Injection Vulnerability in Update Out Standing PHP File

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the 'update_out_standing.php' file, where the 'sid' parameter in the HTTP GET request is not properly sanitized. This lack of validation allows authenticated attackers to inject arbitrary SQL commands, exploiting the application’s database (MySQL) to exfiltrate sensitive information or manipulate database content. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Successful exploitation allows attackers to inject and execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or database enumeration.

Reproduction

To reproduce this vulnerability, log into the application and send a crafted HTTP GET request to 'update_out_standing.php' with a SQL injection payload in the 'sid' parameter. Alternatively, use SQLMap to automate the exploitation.