SourceCodester Online Student Clearance System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester Online Student Clearance System version 1.0. The issue resides in the admin/edit-admin.php file, where the id, txtfullname, txtemail, and cmddesignation parameters can be manipulated to execute unauthorized SQL commands. This vulnerability can be exploited remotely, allowing attackers to access and potentially damage the database or steal information without authentication.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to /student_clearance/admin/edit-admin.php with an id parameter set to a valid administrator ID. Include the txtfullname, txtemail, and cmddesignation parameters in the request. The SQL injection can be achieved by crafting the input values to manipulate the SQL query executed by the application.