Code-Projects Simple Scheduling System SQL Injection Vulnerability in addcourse.php

A SQL injection vulnerability has been identified in Code-Projects Simple Scheduling System version 1.0, specifically in the addcourse.php file within the schedulingsystem directory. The vulnerability arises from inadequate validation of user input in the corcode parameter, allowing attackers to inject malicious SQL queries. This exploitation can be performed remotely without authentication, potentially leading to unauthorized access to the database, data manipulation or deletion, and exposure of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could result in unauthorized data access, data modification or deletion, and in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to the addcourse.php file with the corcode parameter. Injecting a crafted SQL payload, such as one that exploits time-based blind SQL injection, can demonstrate the vulnerability. The injection can be verified using SQL injection testing tools like sqlmap, which can automate the exploitation process and confirm the presence of the vulnerability.

Remediation

To address this vulnerability, it is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, user input should be validated and filtered to ensure it meets expected formats. Minimizing database user permissions and conducting regular security audits can further enhance the application's security.