Itsourcecode Placement Management System SQL Injection Vulnerability in add_company.php

A critical SQL injection vulnerability has been identified in the Itsourccecode Placement Management System version 1.0. The issue arises in the add_company.php file, where user input from the 'name' parameter is not properly validated or sanitized before being used in SQL queries. This lack of input validation allows attackers to inject malicious SQL code, potentially leading to unauthorized database access, data manipulation, and exposure of sensitive information. The vulnerability can be exploited remotely, without requiring any login or authorization.

Impact

Exploitation of this vulnerability allows for SQL injection, with potential impacts including unauthorized database access, data leakage, data manipulation, and execution of administrative operations on the database. According to the GitHub issue, the vulnerability could also lead to complete system control and service disruption.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /Placement/add_company.php endpoint. The request must include a crafted 'name' parameter that contains the SQL injection payload, along with the 'branch' and 'url' parameters. This can be done using a tool like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding to separate SQL code from user input, ensuring that injected data is not executed as part of the SQL command. Additionally, input validation and filtering should be implemented to enforce expected data formats, database user permissions should be minimized, and regular security audits should be conducted to identify and remediate potential vulnerabilities.