Code-Projects Simple ChatBox SQL Injection Vulnerability in PHP Endpoint

A SQL injection vulnerability has been identified in Code-Projects Simple ChatBox in PHP, specifically in version 1.0. The issue resides in the message submission feature, within the file '/chatbox/insert.php'. The vulnerability allows remote attackers to manipulate the 'msg' parameter in HTTP POST requests, injecting malicious SQL payloads that are executed by the database. This exploitation is possible due to the application's failure to properly validate, sanitize, or parameterize user input before incorporating it into SQL queries.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. In severe cases, it could result in full control over the database or backend system.

Reproduction

To reproduce this vulnerability, upload the affected application to a server and navigate to the chat interface. Intercept the message submission request using a tool like Burp Suite. Modify the 'msg' parameter to include a time-based SQL injection payload, such as one that uses the 'SLEEP' function to delay the server response. Send the request and observe the delayed response, which confirms the successful execution of the injected SQL payload.

Remediation

It is recommended to use prepared statements for database queries to prevent SQL injection. Validate and sanitize user input, and apply the principle of least privilege by using restricted database permissions.