itsourcecode Student Management System SQL Injection Vulnerability in advisers.php

A SQL injection vulnerability exists in the itsourcecode Student Management System version 1.0, specifically within the advisers.php file. The issue arises because the application does not properly sanitize or validate the 'sy' parameter in GET requests, allowing attackers to inject malicious SQL code. This vulnerability can be exploited remotely without authentication.

Impact

Exploitation of this vulnerability allows for unauthorized database access, potential leakage or manipulation of sensitive data, and could disrupt service availability.

Reproduction

The vulnerability can be reproduced by sending a GET request to the advisers.php file with an injected payload in the 'sy' parameter. The injection can be crafted to exploit time-based blind SQL injection techniques, such as using the SQL SLEEP function to create a delay response, or to perform a UNION-based injection to extract data from the database.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.