itsourcecode Student Information System SQL Injection Vulnerability in schedule_edit1.php

A SQL injection vulnerability has been identified in the itsourcecode Student Information System version 1.0. The issue resides in the file schedule_edit1.php, where the schedule_id parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for unauthorized database access, leakage of sensitive data, data manipulation, and potentially complete control over the system, along with causing service disruptions.

Reproduction

To reproduce this vulnerability, log into the application with valid credentials. Once logged in, send a POST request to schedule_edit1.php with a crafted schedule_id parameter that includes malicious SQL payloads. The injection can be error-based or time-based blind SQL injection, depending on the payload used.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.