Code-Projects Employee Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Code-Projects Employee Management System version 1.0. The issue arises in the file '/process/applyleaveprocess.php', where user-controlled input in the 'id' parameter is inserted into an SQL 'INSERT' statement without proper parameterization. This vulnerability can be exploited remotely, allowing attackers to manipulate database queries, potentially leading to unauthorized data insertion or modification, depending on database permissions. Additionally, the unescaped 'id' value is reflected in an HTTP redirect 'Location' header, which could cause response splitting or open redirect issues in some environments.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data insertion or modification, depending on database permissions. The vulnerability also allows for the injection of time-based payloads to infer database behavior. Furthermore, the untrusted 'id' value reflected in the 'Location' header could cause response splitting or open redirect issues, depending on the server and PHP configuration.

Reproduction

To reproduce this vulnerability, send a POST request to '/process/applyleaveprocess.php' with the 'id' parameter set to a crafted SQL injection payload. Include the 'reason', 'start', and 'end' fields in the POST body. The SQL injection can be verified by using a payload that, for example, includes a time delay expression, which would slow down the response time after the SQL injection is executed, indicating successful exploitation.