Summary
Multiple critical security vulnerabilities in Mini Inventory and Sales Management System including unauthenticated access to search functionality, multiple SQL injection vectors, globally disabled CSRF protection, and exposed database operations.
Vulnerability Details
1. Commented-Out Authentication on Search Controller (CRITICAL)
The Search controller has its checkLogin() call commented out, meaning all search endpoints are accessible without authentication. An unauthenticated attacker can search items and transactions, gaining access to inventory data and sales records.
2. SQL Injection in Items::gettablecol() (CRITICAL)
Column names sourced from URL parameters are interpolated directly into SQL queries without sanitization or parameterization. An attacker can inject arbitrary SQL via the column name parameter.
3. SQL Injection in Transaction::getAll() ORDER BY (HIGH)
In the SQLite3 code path, the ORDER BY clause in Transaction::getAll() incorporates user input without parameterization, enabling SQL injection.
4. SQL Injection in Transaction::getDateRange() (HIGH)
In the SQLite3 code path, Transaction::getDateRange() incorporates user input into the query without proper parameterization.
5. SQL Injection in Item::newstock() and Item::deficit() (HIGH)
The $qty parameter in both newstock() and deficit() methods is not parameterized when incorporated into SQL queries, allowing injection.
6. CSRF Globally Disabled (HIGH)
The CodeIgniter CSRF protection is globally disabled via $config['csrf_protection'] = FALSE in the configuration file. This means all state-changing operations (creating items, recording transactions, importing/exporting data) are vulnerable to cross-site request forgery attacks.
7. Database Download/Import Without CSRF (CRITICAL)
Database export (download) and import endpoints lack CSRF protection. A malicious page could:
- Exfiltrate the entire database by triggering a download
- Replace the entire database by submitting an import form
8. Test Controller Exposes Password Hash Generation (MEDIUM)
A test controller is accessible without authentication and exposes password hash generation functionality. While not directly exploitable, it reveals internal implementation details.
9. Hardcoded Encryption Key (MEDIUM)
The config.php file contains a hardcoded encryption key. Since this is a public repository, the key is known to anyone and provides no meaningful security for data encrypted with it.
Impact
- Unauthenticated data access: Search functionality exposes inventory and transaction data without login
- SQL injection: Multiple vectors allow data exfiltration, modification, or (depending on DB configuration) remote code execution
- Database theft/replacement: No CSRF protection on DB export/import enables full database exfiltration or replacement via a crafted page
- Cross-site request forgery: All state-changing operations can be triggered by malicious third-party pages
Recommended Fixes
- Uncomment the
checkLogin() call in the Search controller to require authentication
- Parameterize all SQL queries — use prepared statements with bound parameters for all user input, including column names (use an allowlist for column names)
- Enable CSRF protection — set
$config['csrf_protection'] = TRUE and ensure all forms include CSRF tokens
- Add CSRF protection to database import/export operations
- Remove or restrict the test controller in production
- Externalize the encryption key — do not commit it to the repository
Disclosure
This report is intended to help improve the security of the Mini Inventory and Sales Management System. I'm happy to clarify any of these findings.
Summary
Multiple critical security vulnerabilities in Mini Inventory and Sales Management System including unauthenticated access to search functionality, multiple SQL injection vectors, globally disabled CSRF protection, and exposed database operations.
Vulnerability Details
1. Commented-Out Authentication on Search Controller (CRITICAL)
The Search controller has its
checkLogin()call commented out, meaning all search endpoints are accessible without authentication. An unauthenticated attacker can search items and transactions, gaining access to inventory data and sales records.2. SQL Injection in Items::gettablecol() (CRITICAL)
Column names sourced from URL parameters are interpolated directly into SQL queries without sanitization or parameterization. An attacker can inject arbitrary SQL via the column name parameter.
3. SQL Injection in Transaction::getAll() ORDER BY (HIGH)
In the SQLite3 code path, the ORDER BY clause in
Transaction::getAll()incorporates user input without parameterization, enabling SQL injection.4. SQL Injection in Transaction::getDateRange() (HIGH)
In the SQLite3 code path,
Transaction::getDateRange()incorporates user input into the query without proper parameterization.5. SQL Injection in Item::newstock() and Item::deficit() (HIGH)
The
$qtyparameter in bothnewstock()anddeficit()methods is not parameterized when incorporated into SQL queries, allowing injection.6. CSRF Globally Disabled (HIGH)
The CodeIgniter CSRF protection is globally disabled via
$config['csrf_protection'] = FALSEin the configuration file. This means all state-changing operations (creating items, recording transactions, importing/exporting data) are vulnerable to cross-site request forgery attacks.7. Database Download/Import Without CSRF (CRITICAL)
Database export (download) and import endpoints lack CSRF protection. A malicious page could:
8. Test Controller Exposes Password Hash Generation (MEDIUM)
A test controller is accessible without authentication and exposes password hash generation functionality. While not directly exploitable, it reveals internal implementation details.
9. Hardcoded Encryption Key (MEDIUM)
The
config.phpfile contains a hardcoded encryption key. Since this is a public repository, the key is known to anyone and provides no meaningful security for data encrypted with it.Impact
Recommended Fixes
checkLogin()call in the Search controller to require authentication$config['csrf_protection'] = TRUEand ensure all forms include CSRF tokensDisclosure
This report is intended to help improve the security of the Mini Inventory and Sales Management System. I'm happy to clarify any of these findings.