SourceCodester Simple POS and Inventory System SQL Injection Vulnerability in Delete Functionality

A SQL injection vulnerability has been identified in SourceCodester Simple POS and Inventory System version 1.0. The issue arises in the delete functionality of the admin deleteproduct.php, deletecustomer.php, and deletesupplier.php files, where the GET parameter 'id' is not properly sanitized before being used in SQL queries. This vulnerability allows authenticated users to delete arbitrary records or exfiltrate sensitive data through UNION-based injection.

Impact

Exploitation of this vulnerability allows for arbitrary deletion of products, customers, and supplier records. Additionally, it enables extraction of usernames, MD5 password hashes, and business data via UNION-based injection. There is also a potential for remote code execution by using the SQL injection to write a payload to the server, if the injected SQL is executed with sufficient privileges.

Reproduction

To reproduce this vulnerability, send a GET request to '/admin/deleteproduct.php' with an 'id' parameter that includes a SQL injection payload. The injection can be verified by using a time-based blind SQL injection payload, such as one that causes the database to wait for a few seconds before responding, indicating that the injection was successful.

Remediation

To address this vulnerability, it is recommended to use prepared statements for database queries, validate input by casting the 'id' parameter to an integer, implement role-based access control to restrict delete operations to administrators, and add CSRF protection by using POST requests for state-changing actions and including CSRF tokens.