PHPGurukul Daily Expense Tracker SQL Injection Vulnerability in Forgot Password Functionality

A critical SQL injection vulnerability has been identified in the Daily Expense Tracker System by PHPGurukul, specifically in version 1.1. The issue arises in the forgot-password.php file, where the email parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to access and manipulate the database without authorization.

Impact

Exploitation of this vulnerability could lead to unauthorized database access, allowing attackers to view, modify, or delete data. Additionally, it could result in the execution of administrative operations on the database, potentially compromising the entire application.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/dets/forgot-password.php' endpoint. The request must include the 'email' parameter with a crafted payload that exploits the SQL injection flaw, such as one that uses time-based blind SQL injection techniques. This can be done manually or with automated tools like SQLMap.

Remediation

To address this vulnerability, it is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be applied to ensure that user input meets expected formats, blocking malicious data. Finally, database user permissions should be minimized, granting only the necessary rights to the account used for database connections.