PHPGurukul Apartment Visitors Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in the PHPGurukul Apartment Visitors Management System version 1.0. The issue resides in the file '/admin/bwdates-reports-details.php', where the 'fromdate' parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to access, modify, or delete database information without authorization.

Impact

Exploitation of this vulnerability allows for unauthorized database access, potential data modification or deletion, and leakage of sensitive information. Such actions could disrupt services and compromise overall system security.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/admin/bwdates-reports-details.php' with the 'fromdate' parameter crafted to include a SQL injection payload. The 'todate' parameter can be filled with a normal date value. This injection can be verified by using a payload that, for example, makes the database wait for a few seconds before responding, indicating successful exploitation.

Remediation

To address this vulnerability, it is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be applied to ensure that user input meets expected formats, thereby blocking malicious data. Finally, database user permissions should be minimized, ensuring that the account used for database connections has only the necessary privileges.