Paroiciel SQL Injection Vulnerability in zProIdPro Parameter

A SQL injection vulnerability has been identified in Paroiciel version 11.20. This vulnerability allows authenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the zProIdPro parameter. Exploitation of this vulnerability could lead to the extraction of sensitive database information, including usernames, database names, and version details. The issue arises when crafted SQL queries are sent via GET requests to the zpro.php script, taking advantage of improper input sanitization.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to execute arbitrary SQL commands. This could result in unauthorized data access, data manipulation, or in some cases, executing commands on the server if the database has such capabilities.

Reproduction

To reproduce this vulnerability, send a GET request to zpro.php with the zProIdPro parameter. Inject a crafted SQL payload that exploits the application's SQL query handling. The server response should indicate successful exploitation, such as returning database information or application data that should not be accessible.