PHPGurukul Student Record System SQL Injection Vulnerability in Add-Subject.php

A critical SQL injection vulnerability has been identified in PHPGurukul Student Record System version 3.20. The issue resides in the add-subject.php file, specifically within the sub1 parameter. This vulnerability allows remote attackers to inject malicious SQL queries, which could be executed without proper authorization. The lack of adequate input validation for the sub1 parameter enables this exploitation, potentially leading to unauthorized database access, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data modification or deletion, and in some cases, full system compromise.

Reproduction

The vulnerability can be reproduced by sending a POST request to the add-subject.php file with a crafted payload that includes a SQL injection in the sub1 parameter. This payload can be designed to exploit time-based blind SQL injection, such as using a SQL command that causes a delay in the response, indicating successful injection.

Remediation

It is recommended to update the PHPGurukul Student Record System to a version that addresses this vulnerability. Users can also implement input validation and use prepared statements to prevent SQL injection attacks.