PHPGurukul Beauty Parlour Management System SQL Injection Vulnerability in Sales Reports Detail File

A critical SQL injection vulnerability has been identified in PHPGurukul Beauty Parlour Management System version 1.1. The issue resides in the file '/admin/sales-reports-detail.php', where the 'fromdate' and 'todate' parameters are manipulated, leading to SQL injection. This vulnerability can be exploited remotely, allowing attackers to inject malicious SQL queries that could be used to access, modify, or delete database information.

Impact

Exploitation of this vulnerability allows unauthorized database access, potential data modification or deletion, and access to sensitive information. It could also lead to a complete system compromise and disruption of services.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/admin/sales-reports-detail.php' with manipulated 'fromdate' or 'todate' parameters. This can be done using tools like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be conducted to ensure that user input conforms to expected formats. Database user permissions should also be minimized to reduce the risk of unauthorized access.