Code-Projects Easy Blog Site SQL Injection Vulnerability in Contact Us Page
Vulnerability
A SQL injection vulnerability has been identified in Code-Projects Easy Blog Site in PHP, specifically in version 1.0. The issue arises in the contact form located at '/users/contact_us.php'. The vulnerability allows remote attackers to manipulate the 'name' parameter, injecting malicious SQL that is executed by the database. This exploitation can be done without any authentication, and a public proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability allows for arbitrary SQL execution, potentially leading to unauthorized data access, modification or deletion of database records, and could compromise the entire application database.
Reproduction
To reproduce this vulnerability, send a POST request to '/blog/users/contact_us.php' with a crafted payload in the 'name' parameter that includes SQL injection syntax, such as a subquery using the SLEEP() function. This payload will delay the server response, indicating successful exploitation.
Remediation
No known mitigation is available.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.