Codezips Gym Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Codezips Gym Management System version 1.0. The issue arises in the file '/dashboard/admin/health_status_entry.php', where the 'usrid' parameter can be manipulated to inject arbitrary SQL commands. This vulnerability can be exploited remotely, potentially leading to unauthorized database access, data manipulation, and system compromise.

Impact

Exploitation of this vulnerability allows attackers to inject SQL commands that could be executed by the database. This could result in unauthorized data access, data modification or deletion, and in some cases, could lead to executing commands on the server with the application's privileges.

Reproduction

The vulnerability can be reproduced by sending a request to '/dashboard/admin/health_status_entry.php' with a crafted 'usrid' parameter that includes SQL injection payloads. This can be done using tools like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

To address this vulnerability, it is recommended to use prepared statements or parameter binding to separate SQL logic from user input, enforce strict input validation on the 'usrid' parameter, apply the principle of least privilege for database user accounts, and conduct regular security audits.