SourceCodester Employee Management System aprocess.php sql injection

Vulnerability

The /process/aprocess.php endpoint in SourceCodester Employee Management System versions up to and including the latest available release is vulnerable to SQL injection. The mailuid POST parameter is directly concatenated into a SQL query without sanitization or parameterization: $sql = "SELECT * from alogin WHERE email = '$email' AND password = '$password'";. This allows an attacker to inject arbitrary SQL commands. The affected software is available for download on SourceCodester [1].

Exploitation

An attacker can exploit this vulnerability remotely without any prior authentication. The proof of concept demonstrates that sending a POST request to /ems/process/aprocess.php with mailuid=admin' or 1 # and any password results in a successful login, bypassing authentication [1]. Additionally, automated tools like sqlmap can be used to perform boolean-based blind, error-based, and time-based blind SQL injection attacks, allowing extraction of database contents [1].

Impact

Successful exploitation allows an attacker to bypass authentication and gain unauthorized administrator-level access to the Employee Management System. This can lead to full disclosure of sensitive employee data, modification or deletion of records, and potentially full compromise of the application’s database and underlying server [1].

Mitigation

As of the publication date (August 2022), no official patch or fixed version has been released by SourceCodester [1]. The vendor has not responded or provided updated code. System administrators should consider disabling or removing the affected application from production environments, implementing web application firewall rules to block SQL injection patterns, or manually sanitizing the mailuid parameter using prepared statements. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.