PHPGurukul Pre-School Enrollment System SQL Injection Vulnerability in Visitor Details Management

A critical SQL injection vulnerability has been identified in the PHPGurukul Pre-School Enrollment System version 1.0. The issue resides in the file '/admin/visitor-details.php', where the 'status' parameter in POST requests is not properly validated. This lack of input sanitization allows attackers to inject malicious SQL queries, potentially leading to unauthorized database access, data manipulation or deletion, and exposure of sensitive information.

Impact

Exploitation of this vulnerability could allow attackers to access the database without authorization, modify or delete data, and leak sensitive information. Such actions could disrupt services and compromise the overall security of the system.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/preschool/admin/visitor-details.php' with an injected payload in the 'status' parameter. This payload should be crafted to exploit the SQL injection flaw, such as by using a time-based blind injection technique that leverages SQL commands like 'SLEEP' to demonstrate the injection's effectiveness.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection, validate and filter user input, and limit database user permissions to the minimum required.