code-projects Employee Management System psubmit.php sql injection

Vulnerability

The Employee Management System 1.0 from code-projects.org [1] contains a SQL injection vulnerability in the file /psubmit.php. The pid parameter from a GET request is directly concatenated into an SQL UPDATE statement without parameterization or sanitization [2]. The vulnerable code path is reachable without authentication, as the endpoint is publicly accessible.

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to /psubmit.php with a malicious pid parameter. The reference [2] provides a time-based blind SQL injection payload (e.g., 213'and(select*from(select+sleep(10))a//union//select+1)=') that, when URL-encoded and injected, causes a measurable delay in the server response. The application still returns a 302 Found redirect after executing the injected SQL, confirming the injection point. No authentication or special privileges are required.

Impact

Successful exploitation allows an attacker to manipulate the underlying database queries. This can lead to unauthorized changes to project status (e.g., altering subdate or status fields), inference of database structure or sensitive data via blind techniques, and potential compromise of data integrity and availability depending on database permissions [2].

Mitigation

As of the publication date, no official patch or fixed version has been released by the vendor. The project may be unmaintained. The recommended mitigation is to use parameterized queries (prepared statements) for all database interactions, particularly in the psubmit.php file. Until a fix is applied, administrators should restrict network access to the application or implement a web application firewall (WAF) to block SQL injection patterns.