CodeAstro Patient Record Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in CodeAstro Patient Record Management System version 1.0. The issue resides in the login.php file, where the uname parameter can be manipulated to inject arbitrary SQL commands. This vulnerability can be exploited remotely and does not require authentication, potentially leading to unauthorized access and full compromise of the database.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, enabling attackers to execute arbitrary SQL commands. This could result in unauthorized data access, data manipulation, or a complete compromise of the database.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the login.php file with a payload that injects SQL commands through the uname parameter. This can be done using a variety of tools or manually, depending on the attacker's preference.