Tushar-2223 Hotel Management System SQL Injection Vulnerability in Room Deletion Admin Endpoint

A critical unauthenticated SQL injection vulnerability has been identified in the Tushar-2223 Hotel Management System, specifically in the administrative endpoint '/admin/roomdelete.php'. The vulnerability arises because the 'id' parameter is directly appended to SQL queries without proper input validation or sanitization. This flaw allows remote attackers to execute arbitrary SQL commands, potentially leading to unauthorized database access or manipulation. The issue has been acknowledged but not yet addressed by the project maintainers.

Impact

Exploitation of this vulnerability allows for unauthenticated SQL injection, with the potential to exfiltrate the entire database or execute destructive operations, such as deleting records.

Reproduction

The vulnerability can be reproduced by sending a request to the '/admin/roomdelete.php' endpoint with an 'id' parameter. The lack of authentication on this endpoint allows the SQL injection to be executed remotely. This vulnerability can be verified using 'sqlmap', a popular SQL injection exploitation tool, by targeting the same endpoint with a crafted request that exploits the SQL injection flaw.

Remediation

It is recommended to implement authentication checks for the administrative endpoints and to use prepared statements for database queries to prevent SQL injection vulnerabilities.