SourceCodester Employee Management System eprocess.php sql injection

Vulnerability

The vulnerability resides in the /process/eprocess.php file of SourceCodester Employee Management System. The mailuid and pwd POST parameters are directly concatenated into SQL queries without sanitization or parameterization, as shown in the source code: $sql = "SELECT * from employee WHERE email = '$email' AND password = '$password'";. This allows an attacker to inject arbitrary SQL commands. The affected versions include all distributions of the Employee Management System available from the vendor's website [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. By sending a POST request to /process/eprocess.php with a crafted mailuid parameter, such as 1' or 1 #, the attacker can bypass the login authentication. The proof-of-concept demonstrates that this payload results in a successful login. Additionally, tools like sqlmap can be used to perform boolean-based blind, error-based, and time-based blind SQL injection attacks [1].

Impact

Successful exploitation allows an attacker to bypass authentication and gain unauthorized access to the employee management system. Depending on the database privileges, the attacker may extract sensitive information such as employee records, passwords, or other data stored in the database. The impact is considered critical due to the potential for data breach and further compromise of the system [1].

Mitigation

As of the publication date (2022-08-09), no official patch has been released by SourceCodester. Users are advised to implement input validation and use parameterized queries (prepared statements) to prevent SQL injection. The source code is available, so developers can modify the eprocess.php file to use secure database access methods. Until a fix is applied, the system remains vulnerable [1].