SourceCodester Best Employee Management System edit_role.php sql injection

Vulnerability

A critical SQL injection vulnerability exists in SourceCodester Best Employee Management System version 1.0. The flaw resides in the /admin/edit_role.php script, where the id parameter is directly concatenated into a SQL query without proper sanitization. The vulnerable code uses $stmt = $conn->prepare("SELECT * FROM groups WHERE id='" . $_POST['id'] . "'");, allowing an attacker to inject arbitrary SQL commands. The attack requires authentication, as the endpoint is part of the admin panel [1].

Exploitation

An attacker must first obtain valid credentials to access the admin panel. Once authenticated, they can send a POST request to /admin/edit_role.php with a crafted id parameter. For example, the payload ';SELECT SLEEP(5) AND 'id'='id triggers a 5-second time delay if the injection is successful, confirming the vulnerability. After confirmation, tools like sqlmap or ghauri can be used to automate data extraction [1].

Impact

Successful exploitation allows an attacker to extract sensitive data from the database, such as user credentials or other confidential information. Additionally, time-based SQL injection can cause denial of service by introducing delays via functions like SLEEP(). No privilege escalation or remote code execution is reported [1].

Mitigation

As of the publication date (2024-11-14), no official patch has been released by the vendor. The application is no longer actively maintained? (SourceCodester projects may be EOL). The recommended mitigation is to sanitize all user inputs and use prepared statements with parameterized queries. Until a fix is available, restrict access to the admin panel and monitor for suspicious activity. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].