PHPGurukul Vehicle Parking Management System SQL Injection Vulnerability in Manage Category File

A critical SQL injection vulnerability has been identified in PHPGurukul Vehicle Parking Management System version 1.13. The issue arises in the file '/admin/manage-category.php', where the 'del' parameter can be manipulated to inject malicious SQL queries. This vulnerability allows attackers to access and manipulate the database without authorization, potentially leading to unauthorized data access, modification, or deletion.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation of data, and execution of unauthorized operations, posing a severe risk to system security and data integrity.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/admin/manage-category.php' with a crafted 'del' parameter that includes malicious SQL payloads. The injected SQL is executed by the application, allowing the attacker to manipulate the database. This SQL injection can be exploited using time-based blind techniques, such as injecting a payload that causes the database to pause for a few seconds before responding, indicating that the injection was successful.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input conforms to expected formats. Minimizing database user permissions can also help reduce the impact of such vulnerabilities.