SourceCodester SUP Online Shopping SQL Injection Vulnerability in viewmsg.php

A SQL injection vulnerability has been identified in SourceCodester SUP Online Shopping version 1.0. The issue resides in the admin/viewmsg.php file, where the msgid parameter is vulnerable to injection attacks. This vulnerability can be exploited remotely, allowing attackers to manipulate SQL queries and potentially access or modify database information.

Impact

Exploitation of this vulnerability allows for unauthorized database access, data manipulation, and in some cases, complete system control. Such actions can disrupt services and cause significant harm to business operations.

Reproduction

To reproduce this vulnerability, send a GET request to the admin/viewmsg.php file with a crafted msgid parameter. The injection can be verified by using payloads that exploit SQL injection vulnerabilities, such as boolean-based blind, error-based, time-based blind, or UNION query injections.

Remediation

Developers are advised to use prepared statements and parameter binding to prevent SQL injection. Input validation and filtering should be implemented to ensure that user input meets expected formats, blocking malicious data. Additionally, database user permissions should be minimized, ensuring that accounts used for database connections have only the necessary privileges.