A vulnerability was found in projectworlds Online Art Gallery Shop 1.0. The impacted element is an unknown function of the file /admin/registration.php of the component Registration Handler. The manipulation of the argument fname results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
Critical SQL injection vulnerability exists in projectworlds Online Art Gallery Shop 1.0, allowing for remote code execution. Successful exploitation grants attackers unauthorized access to the database, potentially leading to data breaches and complete system compromise. The exploit is publicly available, increasing the risk of widespread exploitation.
Step 1: Payload Delivery: The attacker crafts a malicious SQL injection payload designed to be injected into the fname parameter of the /admin/registration.php file.
Step 2: Request Submission: The attacker sends a specially crafted HTTP POST request to the vulnerable endpoint, including the malicious payload in the fname field.
Step 3: Query Execution: The application receives the request and, without proper sanitization, incorporates the attacker's payload directly into a SQL query.
Step 4: Database Interaction: The database server executes the modified SQL query, which now includes the attacker's malicious code.
Step 5: Data Extraction/Manipulation: Depending on the payload, the attacker can extract sensitive data (e.g., usernames, passwords), modify existing data, or potentially execute arbitrary commands on the database server, leading to complete system compromise.
The vulnerability stems from insufficient input validation within the /admin/registration.php file, specifically when handling the fname parameter. The application fails to sanitize user-supplied input before incorporating it into a SQL query. This allows an attacker to inject malicious SQL code, manipulating the query's logic to extract sensitive information, modify data, or execute arbitrary commands on the database server. The root cause is a lack of parameterized queries or proper input sanitization using functions like mysqli_real_escape_string() or prepared statements. The absence of these security measures allows for direct injection of malicious SQL commands.