SourceCodester Web-Based Pharmacy Product Management System SQL Injection Vulnerability in edit-admin.php

A SQL injection vulnerability has been identified in SourceCodester Web-Based Pharmacy Product Management System version 1.0. The issue arises in the file edit-admin.php, where the ID parameter is not properly validated, allowing authenticated remote attackers to manipulate SQL queries. This vulnerability has been confirmed through automated testing with sqlmap, which successfully identified the injection point and demonstrated the ability to exploit it.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of SQL queries, leading to potential database enumeration, extraction of sensitive data, and possibly unauthorized data modification.

Reproduction

The vulnerability can be reproduced by sending a request to the edit-admin.php file with a crafted ID parameter that exploits the SQL injection flaw. This can be done manually or using automated tools like sqlmap, which can automate the process of finding and exploiting SQL injection vulnerabilities.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, implement strict input validation and whitelisting for user-supplied data. Regular code security reviews and security testing should also be conducted.