PHPGurukul Vehicle Parking Management System SQL Injection Vulnerability in Search Vehicle Admin Page

A critical SQL injection vulnerability has been identified in PHPGurukul Vehicle Parking Management System version 1.13. The issue arises in the admin search-vehicle.php file, where the searchdata parameter is manipulated to inject malicious SQL code. This unsanitized input is directly used in SQL queries, allowing attackers to access and manipulate the database without authorization. The vulnerability can be exploited remotely, posing a significant risk to data integrity and system security.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, potentially leading to unauthorized database access, data manipulation or deletion, and execution of administrative operations.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /admin/search-vehicle.php endpoint with a crafted searchdata parameter. This parameter should include SQL injection payloads, such as time-based blind injection techniques or UNION-based injections, to exploit the vulnerability and extract database information.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be applied to ensure that user input conforms to expected formats. Minimizing database user permissions can also help mitigate the risk by restricting access to sensitive data and operations.