code-projects Pharmacy Management System index.php sql injection

Vulnerability

A critical SQL injection vulnerability exists in code-projects Pharmacy Management System version 1.0. The affected endpoint is /index.php?action=editSalesman, where the id parameter is directly concatenated into SQL queries without proper sanitization or parameterization. This allows an unauthenticated remote attacker to inject arbitrary SQL commands. The issue is present in the unknown code handling the salesman edit functionality. [1]

Exploitation

The attacker can exploit this remotely by sending a crafted HTTP request to the vulnerable endpoint with a malicious id parameter. No authentication is required. The attacker can use common SQL injection techniques (e.g., UNION, blind injection) to extract data. The exploit has been publicly disclosed, increasing the risk of widespread exploitation. [1]

Impact

Successful exploitation results in unauthorized access to the underlying database. An attacker can read, modify, or delete sensitive data, including user credentials, patient information, and inventory records. This could lead to complete compromise of the application and data integrity loss. The attacker may also potentially escalate to system-level access by leveraging database privileges. [1]

Mitigation

As of the publication date (2024-08-25), no official patch has been released by code-projects.org. The vendor website provides the source code but no advisory or updated version. Users should immediately apply input validation and use prepared statements for all database queries. If not possible, the application should be taken offline until a fix is available. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing. [1]