SourceCodester SUP Online Shopping SQL Injection Vulnerability in admin/message.php
Vulnerability
A SQL injection vulnerability has been identified in SourceCodester SUP Online Shopping version 1.0. The issue arises in the admin/message.php file, where the seenid parameter is not properly validated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, with public proof-of-concept evidence available.
Impact
Exploitation of this vulnerability allows unauthorized access to the database, manipulation or deletion of data, leakage of sensitive information, and potential disruption of services.
Reproduction
The vulnerability can be reproduced by sending a GET request to the admin/message.php file with a crafted seenid parameter. This can be done using a tool like sqlmap, which can automate the exploitation of SQL injection vulnerabilities.
Remediation
To address this vulnerability, it is recommended to implement prepared statements and parameter binding to prevent SQL injection, conduct thorough input validation and filtering, and minimize database user permissions.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.