SourceCodester Employee Management System login.php sql injection

Vulnerability

A critical SQL injection vulnerability exists in SourceCodester Employee Management System version 1.0. The issue affects the /Account/login.php page, where the txtusername and txtphone parameters are unsafely concatenated into SQL queries. The vulnerability can be triggered by an unauthenticated attacker sending a POST request to the login endpoint with a malicious payload in these parameters [1].

Exploitation

An attacker can exploit this vulnerability remotely without any prior authentication. The provided proof-of-concept (POC) demonstrates injecting a time-based blind SQLi payload (e.g., admin' AND (SELECT 2131 FROM (SELECT(SLEEP(5)))tfPL) AND 'wOKG'='wOKG) via the txtemail parameter in a POST request to /Account/login.php [1]. Tools like sqlmap can automate extraction of database content. The attacker only needs network access to the target web server.

Impact

Successful exploitation allows an attacker to read, modify, or delete database contents, potentially leading to full disclosure of application credentials, user data, and administrative privileges. Since the vulnerability is in the login mechanism, an attacker could bypass authentication and gain unauthorized access to the Employee Management System as any user [1]. The CVSS score of 9.8 (Critical) reflects the ease of remote exploitation and severe confidentiality, integrity, and availability impact.

Mitigation

As of the publication date (2024-02-23), no official patch has been released by SourceCodester for version 1.0. The software link provides the current version, but no update is available [1][2]. Administrators are advised to implement input sanitization and parameterized queries for all user-supplied inputs in /Account/login.php and other login pages. Until a fix is issued, limiting network exposure or deploying a web application firewall (WAF) may reduce risk.