Blood Bank Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in the Blood Bank Management System version 1.0. The issue resides in the file '/user_dashboard/view_donor.php', where the 'donor_id' parameter can be manipulated to inject malicious SQL queries. This vulnerability is exploitable remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can inject and execute malicious SQL queries. This could lead to unauthorized access to the database, manipulation of database contents, or potentially executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the application as a low-privileged user. Navigate to the 'view_donor.php' page and append a SQL injection payload to the 'donor_id' parameter. The application will respond with a SQL error, indicating that the injection was successful. After confirming the vulnerability, it can be exploited using SQLMap or a manual SQL injection technique.