| शीर्षक | RafyMrX TOKO-ONLINE-ROTI latest (2026-05, no formal release) SQL Injection |
|---|
| विवरण | Description:
TOKO-ONLINE-ROTI contains multiple unauthenticated SQL injection
vulnerabilities in the login, cart, order management, and product
management functions.
Vuln 1 - Login bypass (proses/login.php):
$username = $_POST['username'];
$cek = mysqli_query($conn, "SELECT * FROM customer where username = '$username'");
No escaping or prepared statement. Login bypass with: admin' OR '1'='1'--
Vuln 2 - Cart injection (proses/add.php):
$_GET['kode_produk'], $_GET['kd_cs'] directly in SQL queries
SELECT/INSERT/UPDATE without any sanitization.
Vuln 3 - Order accept injection (admin/proses/terima.php):
$inv = $_GET['inv'];
$result = mysqli_query($conn, "SELECT * from produksi where invoice = '$inv'");
No authentication check before executing this query.
Vuln 4 - Eight admin functions without authentication (CWE-306):
del_produk.php, edit_inv.php, tambah_inv.php, tm_produk.php,
terima.php, tolak.php, hapus_inv.php — all lack session validation.
An attacker can delete products, modify inventory, and accept/reject orders
without logging in.
Countermeasure:
Use prepared statements with parameter binding. Add session authentication
checks to all admin/proses/ files before executing database operations. |
|---|
| स्रोत | ⚠️ https://github.com/RafyMrX/TOKO-ONLINE-ROTI |
|---|
| उपयोगकर्ता | Lzy200657 (UID 98649) |
|---|
| सबमिशन | 31/05/2026 07:58 AM (1 महीना पहले) |
|---|
| संयम | 11/07/2026 01:55 PM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 377796 [RafyMrX TOKO-ONLINE-ROTI तक ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 proses/login.php उपयोगकर्ता नाम SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|