PHPGurukul Beauty Parlour Management System SQL Injection Vulnerability in Invoices Search Admin Page

A SQL injection vulnerability has been identified in PHPGurukul Beauty Parlour Management System version 1.1. The issue arises in the admin search invoices page, specifically within the 'searchdata' parameter. This vulnerability allows remote attackers to inject malicious SQL queries, potentially leading to unauthorized database access, data manipulation, and disruption of services.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and authorization. This could lead to unauthorized access to the database, allowing attackers to modify, delete, or exfiltrate sensitive data. Additionally, such exploitation could be used to execute administrative operations on the database or, in some cases, escalate privileges to the application level.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/admin/search-invoices.php' with a crafted 'searchdata' parameter. The injected SQL payload can exploit the application's SQL query handling, demonstrating the injection flaw.

Remediation

It is recommended to update the application to a version that addresses this vulnerability. If no update is available, consider implementing input validation and using prepared statements to mitigate SQL injection risks.