SourceCodester Simple POS and Inventory System edit_customer.php sql injection
Description
A vulnerability has been found in SourceCodester Simple POS and Inventory System 1.0. The affected element is an unknown function of the file /admin/edit_customer.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection and IDOR in SourceCodester Simple POS and Inventory System 1.0 allow any user to take over the admin account.
Vulnerability
A chained SQL injection and Insecure Direct Object Reference (IDOR) vulnerability exists in /admin/edit_customer.php and /admin/edit_supplier.php of SourceCodester Simple POS and Inventory System 1.0 [1]. The code directly concatenates the id GET parameter and all POST parameters into SQL UPDATE queries without sanitization, e.g., mysqli_query($conn, "update user set username='$username', password='$pass' where userid='$id'") [1]. The application also uses MD5 without salt for password storage [1].
Exploitation
An authenticated attacker can craft a POST request to /admin/edit_customer.php?id=1 with arbitrary username, password, and other POST fields [1]. The application never verifies that the requested id belongs to the attacker's session, so supplying id=1 targets the administrator account [1]. The request can be sent remotely; no special privileges are needed beyond any valid session [1].
Impact
Successful exploitation allows an attacker to overwrite the administrator's username and password, achieving full administrative account takeover [1]. This leads to complete compromise of the application's integrity and confidentiality [1].
Mitigation
As of the publication date (2026-05-25), no official patch has been released [1]. The vendor website (SourceCodester) does not provide a fixed version [2]. Users should restrict network access to the admin panel, use parameterized queries, enforce session-based authorization checks, and replace MD5 with a strong hashing algorithm [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct concatenation of user-supplied GET and POST parameters into SQL UPDATE queries without sanitization or parameterization, combined with missing session ownership checks."
Attack vector
An attacker sends a POST request to `/admin/edit_customer.php?id=1` (or the supplier equivalent) with arbitrary values for `username`, `password`, and other POST fields [ref_id=1]. Because the `id` parameter is directly concatenated into the SQL query, the attacker can inject SQL syntax to extract or modify database contents. Additionally, because no session ownership check is performed, any authenticated user can target any `userid`, including the administrator's account (userid=1), enabling full account takeover [ref_id=1].
Affected code
The vulnerability resides in `/admin/edit_customer.php` and `/admin/edit_supplier.php`. The `id` GET parameter and all POST parameters (`username`, `password`, etc.) are concatenated directly into a SQL UPDATE query without sanitization or parameterization [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The researcher recommends replacing all raw SQL queries with parameterized prepared statements to prevent SQL injection, implementing ownership checks so users can only modify their own records (fixing the IDOR), and replacing MD5 with `password_hash()` using the BCRYPT algorithm for stronger password storage [ref_id=1].
Preconditions
- authAttacker must have a valid authenticated session (PHPSESSID cookie) to access the admin endpoints
- networkThe application must be reachable over the network
- configNo input validation or prepared statements are in use on the vulnerable endpoints
Reproduction
Send a POST request to `/admin/edit_customer.php?id=1` with a valid session cookie and body parameters such as `username=admin&password=attacker123&name=Admin&address=x&contact=x`. The backend will execute an UPDATE on the administrator record (userid=1), overwriting the password with the attacker's chosen value [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/c4ttr4ck/599151a2b90c1cd620933c992873c67amitreexploit
- vuldb.com/submit/813613mitrethird-party-advisory
- vuldb.com/vuln/365427mitrevdb-entrytechnical-description
- vuldb.com/vuln/365427/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.