PHPGurukul Curfew e-Pass Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in the PHPGurukul Curfew e-Pass Management System version 1.0. The issue resides in the admin/pass-bwdates-report.php file, where the fromdate and todate parameters are not properly validated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication.

Impact

Exploitation of this vulnerability allows unauthorized access to the application's database, where attackers can manipulate or delete data, access sensitive information, and potentially gain control over the application.

Reproduction

To reproduce this vulnerability, send a POST request to the admin/pass-bwdates-report.php file with the fromdate parameter injected with a crafted SQL payload that exploits the application's SQL query handling. The todate parameter can be filled with a standard date value. No authentication is required to access this endpoint.

Remediation

Developers are advised to implement proper input validation and use prepared statements to prevent SQL injection vulnerabilities. Additionally, review and sanitize user inputs before processing them in SQL queries.