Campcodes School File Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Campcodes School File Management System version 1.0. The issue arises in the Login component, specifically within the index.php file. The vulnerability allows remote attackers to manipulate the stud_no parameter, injecting malicious SQL queries that could be executed by the application's database. This exploitation does not require any form of authentication.

Impact

Exploitation of this vulnerability allows unauthorized users to execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, and in some cases, full system compromise.

Reproduction

The vulnerability can be reproduced by sending a POST request to the index.php file in the School File Management System application. The request must include the stud_no parameter with a crafted SQL payload. This can be done using tools like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

To address this vulnerability, it is recommended to implement input validation and sanitization for the stud_no parameter, use prepared statements to prevent SQL injection, and conduct regular security audits to identify and fix vulnerabilities.