PHPGurukul Park Ticketing Management System SQL Injection Vulnerability in Reports Details File

A SQL injection vulnerability exists in the 'foreigner-bwdates-reports-details.php' file of PHPGurukul Park Ticketing Management System version 2.0. This vulnerability allows remote attackers to execute arbitrary SQL code by injecting payloads into the 'todate' parameter of a POST request.

Impact

Exploitation of this vulnerability could lead to unauthorized access and manipulation of database information, including sensitive data theft, data alteration or deletion, and disruption of services, causing potential financial losses and damage to the organization's reputation.

Reproduction

To reproduce this vulnerability, log into the admin panel of the Park Ticketing Management System. Navigate to the 'Report' section and select 'Foreigners People Report.' Choose any date range in the 'fromdate' and 'todate' input fields. Intercept the request using Burp Suite, and inject a payload into the 'todate' parameter that exploits the SQL injection vulnerability, such as a payload that uses SQL injection techniques to manipulate the SQL query. Send the modified request and observe the response for indications of successful exploitation, such as a delay that confirms the injection was executed.

Remediation

To address this vulnerability, PHPGurukul recommends input validation, using prepared statements for database queries, output encoding, and implementing a Content Security Policy. For detailed guidance, refer to the OWASP SQL Injection Prevention Cheat Sheet.