PHPGurukul Human Metapneumovirus Testing Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in version 1.0 of the PHPGurukul Human Metapneumovirus Testing Management System. The issue resides in the file '/search-report-result.php', where the 'serachdata' parameter is manipulated to inject malicious SQL queries. This vulnerability allows attackers to access and manipulate the database, potentially leading to unauthorized data access, data modification or deletion, and exploitation of the underlying system.

Impact

Exploitation of this vulnerability allows for unauthorized database access, data manipulation, and execution of arbitrary operations on the server, posing a significant risk to system integrity and availability.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/hmpv-tms/search-report-result.php' with the 'serachdata' parameter. The injection can be verified using payloads that exploit boolean-based blind or time-based blind SQL injection techniques.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input conforms to expected formats. Finally, database user permissions should be minimized to the least required for operations.