SourceCodester Simple POS and Inventory System SQL Injection Vulnerability in Customer and Supplier Edit Functions

A vulnerability allowing SQL injection has been identified in SourceCodester Simple POS and Inventory System version 1.0. The issue arises in the customer and supplier edit functionalities within the admin panel, specifically in the 'edit_customer.php' and 'edit_supplier.php' files'. The vulnerability is exploited by manipulating the 'id' GET parameter and associated POST parameters, which are directly concatenated into SQL UPDATE queries without proper sanitization. This flaw allows authenticated users to modify database records, including administrative accounts.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of user accounts, including administrative privileges, through Insecure Direct Object Reference (IDOR) exploitation. Additionally, the SQL injection component of this vulnerability allows for arbitrary SQL query execution, potentially leading to data extraction or manipulation within the application's database. There is also a risk of causing a mass account lockout by injecting malicious SQL through the 'id' parameter.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to '/admin/edit_customer.php' or '/admin/edit_supplier.php' with the 'id' parameter set to the user ID of the account to be modified, along with the desired changes in the POST parameters. The absence of session verification allows for the overwriting of passwords and other account details.

Remediation

Users are advised to implement ownership checks to ensure that users can only update their own records. Additionally, all raw SQL queries should be replaced with parameterized statements to prevent SQL injection. Password hashing should be strengthened by using the 'password_hash()' function with the BCRYPT algorithm, and input validation should be improved by strictly validating and sanitizing all user-supplied data before processing.