PHPGurukul Art Gallery Management System SQL Injection Vulnerability in add-artist.php

A critical SQL injection vulnerability has been identified in PHPGurukul Art Gallery Management System version 1.1. The issue resides in the file /admin/add-artist.php, where the awarddetails parameter can be manipulated to inject malicious SQL queries. This vulnerability allows attackers to access and manipulate the database, potentially leading to unauthorized data access, data modification, and execution of malicious operations on the server.

Impact

Exploitation of this vulnerability allows for unauthorized database access, data manipulation, and execution of arbitrary SQL commands, which could be used to compromise the application's data integrity and potentially the underlying server.

Reproduction

The vulnerability can be reproduced by sending a POST request to /admin/add-artist.php with the awarddetails parameter crafted to include SQL injection payloads. This can be done using tools like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be applied to ensure that user inputs conform to expected formats, thereby blocking malicious data. Finally, database user permissions should be minimized to limit access rights to only what is necessary.