code-projects Employee Management System changepassemp.php sql injection

Vulnerability

A SQL injection vulnerability exists in code-projects Employee Management System 1.0 within the file /changepassemp.php. The application directly concatenates user-supplied input from the id parameter into a SQL query without sanitization or parameterization [2]. This allows an attacker to inject arbitrary SQL commands. The vulnerability is present in version 1.0 and earlier.

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The exploit requires sending a crafted POST request to /changepassemp.php with a malicious id parameter. A proof-of-concept payload uses a time-based blind SQLi technique: (select*from(select+sleep(5)union/**/select+1)a) [2]. The application does not check if the database query succeeded, leading to both SQL injection and information disclosure via verbose PHP error messages that leak internal paths [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the database, potentially leading to data exfiltration, authentication bypass, or further compromise. Additionally, the verbose error handling discloses sensitive server details such as file system paths and code line numbers, aiding attackers in mapping the infrastructure and chaining with other vulnerabilities [2].

Mitigation

As of the publication date, no official patch has been released by code-projects. The vendor's source code is available at [1]. Mitigation steps include implementing prepared statements or parameterized queries, sanitizing all user inputs, and disabling detailed error messages in production. Until a fix is applied, users should restrict network access to the application and monitor for suspicious requests.