| Title | sourcecodester Computer Inventory System 1.0 SQL Injection |
|---|
| Description | The Computer Inventory System by SOURCECODESTER has a critical SQL Injection vulnerability in its /endpoint/delete-computer.php component. This flaw allows attackers to manipulate SQL queries by injecting malicious SQL code through the computer parameter in the URL. The vulnerable code snippet does not properly sanitize user input, directly incorporating user-supplied data into the SQL query. This oversight enables an attacker to execute arbitrary SQL commands against the database, potentially leading to unauthorized data deletion, data leakage, or complete database compromise. The provided HTTP request example demonstrates how an attacker could exploit this vulnerability by appending a conditional SQL statement (1' or '1'='1) to the computer parameter, effectively altering the query's logic to execute unintended actions. This security issue underscores the necessity of employing prepared statements or proper input validation mechanisms to protect against SQL Injection attacks, thereby safeguarding the integrity and confidentiality of the database. |
|---|
| Source | ⚠️ https://github.com/skid-nochizplz/skid-nochizplz/blob/main/TrashBin/CVE/SOURCECODESTER%20Computer%20Inventory%20System%20Using%20PHP/SQL%20Injection%20delete-computer.php%20.md |
|---|
| User | nochizplz (ID 64302) |
|---|
| Submission | 02/28/2024 14:19 (2 months ago) |
|---|
| Moderation | 03/01/2024 08:16 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 255382 |
|---|