PHPGurukul Student Record System SQL Injection Vulnerability in session.php

A critical SQL injection vulnerability has been identified in PHPGurukul Student Record System version 3.2. The issue resides in the session.php file, where the session parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, with public knowledge of the exploit available.

Impact

Exploitation of this vulnerability allows unauthorized access to the database, manipulation or deletion of data, and potential control over the system, disrupting services and posing a significant security risk.

Reproduction

The vulnerability can be reproduced by sending a POST request to the session.php file with a crafted session parameter that includes malicious SQL code. This injected SQL is executed by the application, allowing the attacker to manipulate the database. The exploitation can be verified using tools like sqlmap, which can automate the injection process and extract database information.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, and minimize database user permissions.