OS4ED openSIS SQL Injection Vulnerability in Attendance Codes Management

A SQL injection vulnerability has been identified in OS4ED openSIS versions 7.0 to 9.1. The issue arises in the attendance module, specifically within the AttendanceCodes.php file. This vulnerability allows remote, authenticated attackers with admin privileges to manipulate SQL queries by injecting payloads through the 'table' parameter. Exploitation of this vulnerability could lead to unauthorized access to sensitive database information.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, enabling attackers to manipulate database queries and potentially access or modify sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user with admin rights can send a request to the '/Modules.php' endpoint, targeting the 'attendance/AttendanceCodes.php' module. The 'table' parameter should be replaced with a crafted SQL injection payload, such as '0 union select sleep(10)', to test the injection. If the application responds after a delay, it indicates that the injection was successful.