SourceCodester Best Courier Management System manage_user.php sql injection

Vulnerability

A critical SQL injection vulnerability exists in SourceCodester Best Courier Management System version 1.0 (released 2023/10/27) [1]. The flaw resides in the file manage_user.php at line 5, where the id parameter is directly concatenated into an SQL query without sanitization [1]. An attacker can inject arbitrary SQL statements via the id GET parameter. The vulnerable version is the one available from SourceCodester as of that date.

Exploitation

The attacker needs only network access to the web application; no authentication is required [1]. The exploit uses a crafted HTTP GET request to manage_user.php with a malicious id parameter. For example, the proof-of-concept payload (select*from(select+sleep(3)union/**/select+1)a) causes a 3-second delay, confirming time-based blind SQL injection [1]. The attacker can automate extraction using tools like sqlmap over the same endpoint.

Impact

Successful exploitation allows an attacker to retrieve arbitrary data from the database, including credentials and other sensitive information [1]. The advisory further states that attackers may gain control of the website by obtaining database information [1]. The impact is high confidentiality compromise, with potential for privilege escalation depending on the database user's permissions.

Mitigation

As of the publication date (2023-12-17), no official patch has been released by SourceCodester. The vendor has not addressed this issue in any subsequent version known from the references. The only mitigation is to sanitize or parameterize the id parameter in manage_user.php. Until a fix is available, administrators should restrict network access to the application or apply a Web Application Firewall rule to block SQL injection payloads. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.