SourceCodester Pizzafy Ecommerce System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Pizzafy Ecommerce System version 1.0. The issue arises in the delete_category function within the file admin/ajax.php, where the ID parameter is not properly sanitized. This flaw allows remote attackers to manipulate the SQL query, potentially leading to error-based SQL injection exploitation. The vulnerability is currently unpatched and has been made public.

Impact

Exploitation of this vulnerability allows attackers to perform error-based SQL injection, with the potential to extract sensitive database information, such as database names, table structures, and user credentials. Additionally, attackers could manipulate or delete records, causing a denial-of-service condition, and possibly escalate privileges by hijacking sessions to gain administrative access.

Reproduction

To reproduce this vulnerability, send a POST request to the /pizzafy/admin/ajax.php endpoint with the action parameter set to delete_category. Include an injection payload in the id parameter that exploits the SQL injection vulnerability, such as one that uses the extractvalue function to retrieve database information.

Remediation

It is recommended to use prepared statements and parameterized queries to prevent SQL injection. Input validation and sanitization of the id parameter should be implemented to ensure only expected values are accepted. Additionally, database user privileges should be restricted to limit the potential impact of SQL injection attacks.