SourceCodester Lost and Found Information System view_inquiry.php sql injection

Vulnerability

In SourceCodester Lost and Found Information System 1.0, the file admin\inquiries\view_inquiry.php does not sanitize user-supplied input before using it in SQL queries. This leads to a classic SQL injection vulnerability. The code directly concatenates the id parameter into a query without proper escaping or parameterized statements, allowing an attacker to inject arbitrary SQL commands. The affected version is 1.0. [1]

Exploitation

An unauthenticated attacker can trigger the vulnerability remotely by sending a crafted HTTP request to the admin/inquiries/view_inquiry.php endpoint with a malicious id parameter. The exploit does not require any prior authentication or special privileges. The public proof-of-concept demonstrates how to inject SQL using a time-based blind technique, such as ' AND (SELECT 9094 FROM (SELECT(SLEEP(5)))psGp) AND 'osaz'='osaz. The attack can be automated with tools like sqlmap. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands on the database, leading to unauthorized disclosure of sensitive data (e.g., user credentials, personal information), as well as data modification or deletion. The attacker gains read and write access to the database contents, potentially compromising the entire application backend. [1]

Mitigation

As of the publication date, no official patch or fixed version has been released by SourceCodester. The vendor has not acknowledged the vulnerability. Users should upgrade to a patched version if available, or apply input validation and parameterized queries to the affected file. Until a fix is provided, restricting network access to the admin panel and using a web application firewall can help reduce risk. [1]