SLIMS SQL Injection Vulnerability in Visitor Report Module Allowing Privilege Escalation

A SQL injection vulnerability has been identified in SLIMS version 9.6.1, specifically within the visitor_report_day.php component of the reporting module. This vulnerability allows remote attackers with admin privileges to manipulate the month parameter, potentially leading to unauthorized access to sensitive database information.

Impact

Exploitation of this vulnerability could result in unauthorized database access and data breaches.

Reproduction

To reproduce this vulnerability, intercept a request to the visitor_report_day.php file using Burp Suite. Modify the month parameter to inject SQL payloads, either manually or by using SQLmap to automate the process. After injecting the payload, the SQL injection can be exploited to extract data from the database.

Remediation

Users are advised to update to the latest version of SLIMS. The vulnerability has been patched by modifying the visitor_report_day.php file to include proper input validation and sanitization for the month parameter.