PHPGurukul Directory Management System SQL Injection Vulnerability in Search Directory Functionality

A critical SQL injection vulnerability has been identified in PHPGurukul Directory Management System version 1.0. The issue resides in the file '/admin/search-directory.php', where the 'searchdata' parameter can be manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to access and manipulate the database without authorization.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, and in some cases, executing commands on the server.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/admin/search-directory.php' with a crafted 'searchdata' parameter that includes malicious SQL payloads. This can be done using tools like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

It is recommended to update to a version of PHPGurukul Directory Management System that addresses this vulnerability. If no such version is available, consider applying input validation and using prepared statements to mitigate SQL injection risks.