SourceCodester Best Employee Management System fetch_product_details.php sql injection

Vulnerability

A critical SQL injection vulnerability exists in SourceCodester Best Employee Management System 1.0, specifically in the file /admin/fetch_product_details.php. The barcode parameter passed via POST is not sanitized, allowing an attacker to inject arbitrary SQL statements. The application is available for download from SourceCodester [2] and the issue affects the latest version as per the public disclosure [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted POST request to /admin/fetch_product_details.php with a malicious barcode value. The public proof-of-concept includes a detailed HTTP request and demonstrates using sqlmap to extract the current database [1]. No special privileges or user interaction are required; the attacker only needs network access to the vulnerable endpoint.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to unauthorized access to sensitive data in the database, modification of records, or potential escalation of privileges. Given the critical severity, the impact is considered high for confidentiality, integrity, and availability.

Mitigation

As of the publication date (2024-11-14), no official patch or fixed version has been released by SourceCodester. Users should apply input validation and parameterized queries on the barcode parameter, or restrict access to the vulnerable file until a patch becomes available. This vulnerability has been publicly disclosed and may be added to CISA's Known Exploited Vulnerabilities (KEV) catalog.