PHPGurukul Student Record System SQL Injection Vulnerability in Manage-Subjects.php

A critical SQL injection vulnerability has been identified in PHPGurukul Student Record System version 3.2. The issue resides in the manage-subjects.php file, where the del parameter is manipulated to inject malicious SQL code. This unsanitized input is exploited to interfere with SQL queries, potentially leading to unauthorized database access and data manipulation.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and accessing the database. This could result in unauthorized data exposure, data modification or deletion, and in some cases, executing commands on the server.

Reproduction

The vulnerability can be reproduced by sending a GET request to manage-subjects.php with a crafted del parameter that includes SQL injection payloads. The injected SQL code can be designed to exploit the application's database query handling, such as using time-based blind SQL injection techniques to extract information from the database.

Remediation

It is recommended to update the application to a version that addresses this vulnerability. If no update is available, consider applying input validation and sanitization measures for the del parameter, and use prepared statements to prevent SQL injection.