SourceCodester Lost and Found Information System manage_user.php sql injection

Vulnerability

The vulnerability is a SQL injection (CWE-89) in the id parameter of the file admin\user\manage_user.php in SourceCodester Lost and Found Information System version 1.0. The application directly concatenates the user-supplied id parameter into a SQL query without input sanitization or parameterized statements, as shown in the related code pattern in the reference. This makes the code path reachable by any visitor to the admin page, requiring no special configuration.

Exploitation

An attacker can exploit this remotely by sending a crafted HTTP GET request to the vulnerable endpoint (e.g., http://php-lfis.com/?page=admin/user/manage_user&id=[payload]). No authentication is required, as the admin pages are publicly accessible in this version. The attacker can use tools like sqlmap or manual payloads to inject SQL commands. The reference [1] provides a proof-of-concept showing the injection point and sqlmap results confirming the exploitability.

Impact

Successful exploitation allows an attacker to read arbitrary data from the application's database, including user credentials, personal information, and other sensitive records. This leads to a complete confidentiality breach with potential for privilege escalation if admin sessions or passwords are obtained. The attacker gains the ability to dump entire database tables, compromising the entire application's data integrity and availability indirectly.

Mitigation

The vendor has not released an official patch for this vulnerability as of the publication date (2023-06-09). Users are advised to apply input sanitization and use parameterized queries in the affected file. As a temporary workaround, restrict access to the admin directory via web server rules or authentication until a fix is available. The vulnerability is not currently listed in the CISA KEV catalog. The affected version (1.0) may be end-of-life; consider migrating to a maintained alternative.