PHPGurukul Dairy Farm Shop Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in version 1.3 of the PHPGurukul Dairy Farm Shop Management System. The issue resides in the '/search-product.php' file, where the 'productname' parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to access and manipulate the database, potentially leading to unauthorized data access, data modification or deletion, and disruption of services.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation or deletion of data, leakage of sensitive information, and could result in a complete compromise of the system.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/search-product.php' file with a crafted 'productname' parameter. Various payloads can be used to exploit the SQL injection, including boolean-based blind, error-based, time-based blind, and UNION query injections. The injection occurs because the 'productname' parameter is not properly validated before being used in SQL queries.

Remediation

To address this vulnerability, it is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be applied to ensure that user input meets expected formats, blocking malicious data. Finally, database user permissions should be minimized, granting only necessary privileges to the account used for database connections.