Phpgurukul Cyber Cafe Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Phpgurukul Cyber Cafe Management System version 1.0, specifically within the user management module. The issue arises in the 'add-users.php' endpoint, where the application inadequately validates user input in the 'username' parameter. This lack of proper input sanitization allows attacker-controlled data to be directly executed in SQL queries, potentially leading to unauthorized database access and data manipulation.

Impact

Exploitation of this vulnerability could result in information disclosure, unauthorized access to the database, and manipulation of database records.

Reproduction

The vulnerability can be reproduced by an authenticated attacker with administrative privileges. During the user creation process, inject SQL payloads into the 'username' parameter that exploit the application's SQL query handling. The injection can be confirmed using time-based SQL injection techniques, such as introducing delays with database sleep functions, to demonstrate that the injected SQL is executed.

Remediation

To address this vulnerability, implement prepared statements to ensure SQL queries are parameterized and not directly influenced by user input. Apply strict server-side input validation and sanitize all user-supplied data before processing. Additionally, use database accounts with least privilege access and change default administrative credentials after installation.