Open ISES Project SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Open ISES Project version 3.30A. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the frm_passwd parameter. Exploitation involves sending POST requests to main.php with crafted SQL that can extract sensitive database information such as usernames, database names, and version details.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which can lead to unauthorized data access or manipulation. In this case, it could be used to extract sensitive information from the database, including usernames and version details.

Reproduction

The vulnerability can be reproduced by sending a POST request to main.php with a SQL injection payload in the frm_passwd parameter. This can be done using a tool like Burp Suite or through a simple script that automates the process. The injected SQL can be crafted to extract database information, demonstrating the vulnerability's impact.