PHPGurukul Human Metapneumovirus Testing Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul's Human Metapneumovirus Testing Management System version 1.0. The issue resides in the '/bwdates-report-result.php' file, where the 'todate' parameter is manipulated to inject malicious SQL queries. This exploitation occurs without proper input validation or sanitization, allowing attackers to interfere with SQL commands and execute unauthorized database operations. The vulnerability can be exploited remotely, posing significant risks to data integrity and system security.

Impact

Exploitation of this vulnerability allows attackers to inject and execute malicious SQL queries, potentially leading to unauthorized database access, data manipulation or deletion, and execution of administrative operations on the database. This could result in a complete compromise of the application and its data.

Reproduction

To reproduce this vulnerability, send a POST request to '/hmpv-tms/bwdates-report-result.php' with the 'fromdate' parameter set to '2000-01-01' and the 'todate' parameter injected with a malicious payload that exploits the SQL injection vulnerability. The injection can be verified by using a payload that, for example, causes a time-based delay, indicating successful exploitation.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection vulnerabilities. Additionally, input validation and filtering should be implemented to ensure that user input conforms to expected formats, blocking malicious data. Finally, database user permissions should be minimized, ensuring that accounts used for database connections have only the necessary privileges.