PHPGurukul Hospital Management System SQL Injection Vulnerability in view-medhistory.php

A critical SQL injection vulnerability has been identified in PHPGurukul Hospital Management System version 1.0. The issue resides in the view-medhistory.php file, where the viewid parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication, potentially leading to unauthorized database access, data modification or deletion, and exposure of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, which could lead to unauthorized database access, manipulation or deletion of data, and exposure of sensitive information.

Reproduction

The vulnerability can be reproduced by sending a GET request to view-medhistory.php with a crafted viewid parameter that includes malicious SQL payloads. This can be done manually or using automated tools like sqlmap, which can exploit the vulnerability and extract data from the database.

Remediation

No specific remediation is known, but general best practices for preventing SQL injection should be followed, such as using prepared statements and parameterized queries, validating and sanitizing user input, and minimizing database user privileges.