Edoc Doctor Appointment System SQL Injection Vulnerability in Appointment Management

A SQL injection vulnerability has been identified in the Edoc Doctor Appointment System version 1.0.1. The issue arises in the appointment management feature, specifically within the admin panel. The vulnerability allows authenticated users with admin access to execute arbitrary SQL commands by manipulating the 'docid' parameter in POST requests to the '/admin/appointment.php' endpoint. This exploitation is possible due to improper input validation and the lack of parameterized queries, leaving the application susceptible to SQL injection attacks.

Impact

Exploitation of this vulnerability allows authenticated admin users to inject malicious SQL into the application's database queries. This could lead to unauthorized data access, data manipulation, or potentially executing administrative functions within the application, depending on the database permissions assigned to the admin account.

Reproduction

To reproduce this vulnerability, log into the application as an admin user and navigate to the 'Appointments' management page. Once there, use Burp Suite to intercept the request when applying a filter that includes the 'docid' parameter. Modify this parameter to include SQL injection payloads, such as boolean-based injection techniques, and then send the request. The SQL injection can be automated with tools like sqlmap, which can exploit the vulnerability and interact with the database.

Remediation

It is recommended to use prepared statements with parameter binding to prevent SQL injection. Server-side validation of input parameters, especially those used in SQL queries, should be implemented. Additionally, the application should avoid direct concatenation of user input into SQL commands. After addressing the vulnerability, a thorough code audit is advised to identify and remediate any similar SQL injection risks.