Campcodes Online Polling System SQL Injection Vulnerability in registeracc.php

A SQL injection vulnerability has been identified in Campcodes Online Polling System version 1.0, specifically within the registeracc.php file. The issue arises from inadequate validation of the email parameter, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication, potentially leading to unauthorized database access, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to gain unauthorized access to the database, modify or delete data, and access sensitive information. Such actions can disrupt services and pose a significant threat to overall system security.

Reproduction

To reproduce this vulnerability, send a POST request to the registeracc.php file with crafted payloads that exploit the email parameter. The payloads can be designed to perform boolean-based or time-based blind SQL injection, leveraging the application's SQL query handling to extract database information or manipulate database operations.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.