1000projects Online Notice Board SQL Injection Vulnerability in Register.php

A critical SQL injection vulnerability has been identified in the Online Notice Board project version 1.0, specifically in the register.php file. The vulnerability arises from inadequate validation of the 'fname' parameter, allowing attackers to inject malicious SQL queries that could be executed by the database. This issue can be exploited remotely, without the need for authentication.

Impact

Exploitation of this vulnerability allows for unauthorized access to the database, potential leakage or manipulation of sensitive data, and could disrupt service availability.

Reproduction

The vulnerability can be reproduced by sending a POST request to register.php with a crafted 'fname' parameter that includes malicious SQL payloads. This injection takes advantage of time-based blind SQL injection techniques, such as using the SQL 'SLEEP' function to demonstrate the vulnerability.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding to separate SQL code from user input, validate and filter user input to ensure it meets expected formats, minimize database user permissions, and conduct regular security audits.