SourceCodester SUP Online Shopping SQL Injection Vulnerability in wishlist.php

A SQL injection vulnerability has been identified in SourceCodester SUP Online Shopping version 1.0, specifically within the wishlist.php file. The issue arises from an unknown function that improperly handles the delwlistid parameter, allowing remote attackers to inject malicious SQL queries. This vulnerability has been publicly disclosed and could be exploited to gain unauthorized access to the database, manipulate or delete data, and disrupt services.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, leading to unauthorized database access, data manipulation or deletion, and potential disruption of services.

Reproduction

The vulnerability can be reproduced by sending a GET request to wishlist.php with the delwlistid parameter. The injection payload can be crafted to exploit the SQL injection vulnerability, such as using error-based or time-based blind SQL injection techniques.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input conforms to expected formats. Finally, database user permissions should be minimized to the least required for operations.