PHPGurukul Pre-School Enrollment System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Pre-School Enrollment System version 1.0. The issue resides in the file '/admin/add-subadmin.php', where the 'sadminusername' parameter can be manipulated to inject malicious SQL queries. This vulnerability allows attackers to access and manipulate the database without authorization, potentially leading to unauthorized data access, modification, or deletion.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation of data, and execution of unauthorized operations, posing a severe risk to system security and data integrity.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/preschool/admin/add-subadmin.php' with a crafted 'sadminusername' parameter that includes SQL injection payloads. This can be done using tools like Burp Suite to intercept and modify the request.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, and minimize database user permissions.