OS4ED openSIS SQL Injection Vulnerability in Messaging Module Inbox

A SQL injection vulnerability has been identified in OS4ED openSIS versions 7.0 through 9.1. The issue arises in the messaging module's inbox feature, specifically through the 'cp_id' parameter in 'Inbox.php'. This vulnerability allows remote, authenticated attackers with a 'teacher' role to inject SQL payloads, potentially leading to unauthorized data retrieval from the application's database.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries and access or modify database information arbitrarily.

Reproduction

To reproduce this vulnerability, send a request to the 'Modules.php' endpoint with the 'modname' parameter set to 'messaging/Inbox.php'. Include the 'button' parameter with the value 'Send', the 'list_gpa_student' parameter set to 'Y', and inject a SQL payload into the 'cp_id' parameter. The injected SQL payload can be crafted to, for example, use 'union select' to extract database information.