Code-Projects Online FIR System SQL Injection Vulnerability in Login Component

A SQL injection vulnerability has been identified in Code-Projects Online FIR System version 1.0. The issue resides in the login processing file '/Online_FIR_System/Login/checklogin.php', where user-supplied input through the email and password parameters is not properly validated or sanitized before being incorporated into SQL queries. This flaw allows remote attackers to execute arbitrary SQL commands by injecting malicious payloads, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, which could be used to bypass authentication, extract sensitive data from the database, modify or delete database records, escalate privileges, or gain full control over the application database. In severe cases, this could lead to a complete compromise of the application.

Reproduction

To reproduce this vulnerability, log into the application and intercept the login request using a tool like Burp Suite. Modify the email parameter to include a SQL injection payload that exploits time-based SQL injection, such as one that uses the SLEEP() function to create a delay in the server response. Send the modified request and observe the delayed response, which confirms successful exploitation.

Remediation

It is recommended to use prepared statements for SQL queries to prevent injection attacks. Additionally, validate user input to ensure it meets expected formats, such as proper email structure. Conduct regular security testing, including penetration testing and code audits, to identify and address vulnerabilities.