| Título | itsourcecode Library Management System Project In Java With Source Code v1.0 SQL Injection |
|---|
| Descrição | Description:
A SQL injection vulnerability has been discovered in Library Management System Java Project (version <= v1.0). The vulnerability exists in the user verification functionality within library_management/src/Library_Management/Forgot.java. Due to direct concatenation of user input into SQL queries without proper parameterization and input validation, attackers can execute arbitrary SQL commands through maliciously crafted inputs.
Impact:
- Unauthorized access to database information
- Exposure of sensitive information (including user passwords)
- Potential database manipulation and corruption
Technical Details:
1. Vulnerability Type: SQL Injection (CWE-89)
2. Affected Version: v1.0 and below
3. Proof of Concept:
```sql
' OR 1=1 LIMIT 1 #
' UNION SELECT 'admin','compromised','pass',4,5 LIMIT 1 #
' UNION SELECT NULL,(SELECT password FROM account WHERE username='jude'),NULL,NULL,null LIMIT 1 #
```
Remediation:
1. Implement prepared statements
2. Add input validation mechanisms
3. Consider using ORM frameworks
4. Apply principle of least privilege
5. Encrypt sensitive data storage
Severity: High
References:
- OWASP SQL Injection Prevention Guide
- CWE-89: SQL Injection
- CERT Oracle Secure Coding Standard for Java
|
|---|
| Fonte | ⚠️ https://github.com/wlingze/IRify_scan/issues/1 |
|---|
| Utilizador | lingze (UID 83608) |
|---|
| Submissão | 01/04/2025 17h26 (há 1 Ano) |
|---|
| Moderação | 03/04/2025 21h12 (2 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 303272 [itsourcecode Library Management System 1.0 Forgot.java search txtuname Injeção SQL] |
|---|
| Pontos | 20 |
|---|