Code-Projects Employee Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Employee Management System developed by Code-Projects, specifically in version 1.0. The issue resides in the authentication process within the file '/370project/process/eprocess.php'. The vulnerability is triggered by manipulating the 'mailuid' parameter in an HTTP POST request, allowing attackers to inject malicious SQL code that is executed by the database. This exploitation can bypass authentication and access sensitive information.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to database information, modification or deletion of records, and bypassing authentication mechanisms.

Reproduction

To reproduce this vulnerability, send a POST request to '/370project/process/eprocess.php' with the 'mailuid' parameter manipulated to include a SQL injection payload, such as a time-based injection that delays the server response, indicating successful exploitation.

Remediation

It is recommended to use prepared statements for database queries, validate and sanitize user input, implement password hashing, limit database user permissions, and conduct regular security audits.