itsourcecode Online House Rental System manage_user.php sql injection

Vulnerability

A critical SQL injection vulnerability exists in manage_user.php of itsourcecode Online House Rental System version 1.0. The month_of parameter is directly concatenated into SQL queries without sanitization or validation, allowing an attacker to inject arbitrary SQL. The vulnerable software is available from the vendor's website and is not authenticated by default for this endpoint [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted HTTP request to the manage_user.php script with a malicious month_of parameter. For example, the payload page=payment_report&month_of=2024-06' AND (SELECT 2382 FROM (SELECT(SLEEP(5)))pylo) AND 'mZtF'='mZtF demonstrates time-based blind SQL injection [1]. No special privileges or user interaction is required; the attack can be executed simply by sending the request.

Impact

Successful exploitation allows an attacker to gain unauthorized access to the database, read sensitive data (such as user credentials, personal information, and tenancy records), modify or delete data, and potentially achieve complete database compromise. This can lead to full system control and service disruption [1]. The impact is rated as critical due to the ease of exploitation and the severity of potential data breaches.

Mitigation

As of the publication date (2024-06-15), no patch has been released by the vendor. The software version 1.0 remains vulnerable and unmaintained. The recommended mitigation is to immediately remove or restrict access to manage_user.php on public-facing servers, implement strong input validation and parameterized queries, or switch to a supported rental management system. The vendor website does not indicate any planned update [1].