SourceCodester Canteen Management System login.php sql injection

Vulnerability

Canteen Management System 1.0, a PHP-based web application available from SourceCodester, contains a SQL injection vulnerability in the login.php file. The username parameter is passed directly into a SQL query without proper sanitization or validation, allowing an attacker to inject arbitrary SQL commands. The application is publicly accessible and the vulnerability is triggered via a POST request to login.php with a crafted username value [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely by sending a specially crafted HTTP POST request to login.php. The attacker includes a SQL injection payload in the username parameter, such as a time-based blind injection using SLEEP() or a UNION-based injection. No user interaction or prior authentication is required. The exploit has been publicly disclosed with a proof-of-concept payload that demonstrates a time-based blind SQL injection [1].

Impact

Successful exploitation allows an attacker to retrieve sensitive data from the database, including user credentials, session tokens, and other application data. The attacker can also potentially modify or delete data, escalate privileges, or gain administrative access to the application. The impact is complete confidentiality, integrity, and availability compromise of the affected system [1].

Mitigation

As of the publication date (2022-10-18), no official patch has been released by the vendor. The application remains vulnerable. Users should apply input validation and parameterized queries to all user-supplied input, especially in the login form. Consider using a web application firewall (WAF) to block SQL injection attempts. The use of the application in a production environment without mitigation is not recommended.