PHPGurukul Restaurant Table Booking System SQL Injection Vulnerability in edit-subadmin.php

A critical SQL injection vulnerability has been identified in the PHPGurukul Restaurant Table Booking System version 1.0. The issue resides in the edit-subadmin.php file, where the fullname parameter is manipulated to inject malicious SQL. This vulnerability allows remote attackers to interfere with SQL updates, potentially leading to unauthorized database access and data manipulation.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to access and manipulate the database. This could result in unauthorized data access, data modification or deletion, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log in with the admin credentials. Then, send a POST request to the edit-subadmin.php file with the fullname parameter. Inject a payload that exploits the SQL injection, such as one that uses time-based blind SQL injection techniques, like causing a delay in the response.

Remediation

It is recommended to use prepared statements with parameterized queries to prevent SQL injection attacks. Additionally, implement input validation and filtering to ensure user inputs comply with expected formats. Database accounts should operate under the principle of least privilege, and regular security audits should be conducted to identify and address potential vulnerabilities.