SourceCodester Indian Invoicing System SQL Injection Vulnerability in Invoice Generation Component

A second-order SQL injection vulnerability has been identified in SourceCodester Indian Invoicing System version 1.0. The issue arises in the invoice generation handler file IGST_Invoice.php, where user-supplied data from the database is used to construct SQL queries without proper sanitization. This vulnerability can be exploited remotely, allowing attackers to manipulate invoice generation logic, exfiltrate data from other database tables, or perform administrative actions.

Impact

Exploitation of this vulnerability could lead to unauthorized access to all database tables, including sensitive user credential data, with potential for database manipulation or deletion. Additionally, destructive SQL commands could be used to disrupt service.

Reproduction

The vulnerability can be reproduced by first injecting a SQL payload into the customer_name or category fields via the customer creation form. This payload is then stored in the database. When the IGST_Invoice.php file is accessed, the injected SQL payload is executed, demonstrating the SQL injection vulnerability.

Remediation

To address this vulnerability, it is recommended to use prepared statements for database queries, sanitize and validate user inputs, and ensure that the database user has the minimum necessary permissions.