PHPGurukul Vehicle Parking Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Vehicle Parking Management System version 1.13. The issue resides in the file '/admin/bwdates-reports-details.php', where the 'fromdate' and 'todate' parameters are manipulated to inject malicious SQL code. This unsanitized input is exploited to interfere with SQL queries, potentially leading to unauthorized database access and data manipulation.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, with possibilities including unauthorized data access, data modification or deletion, and in some cases, executing commands on the server under the database user's privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/vpms/admin/bwdates-reports-details.php' with crafted 'todate' and 'fromdate' parameters. The 'todate' parameter should include SQL injection payloads, such as boolean-based blind injection or UNION-based injections, to exploit the vulnerability.

Remediation

It is recommended to update to a version of PHPGurukul Vehicle Parking Management System that addresses this vulnerability. If no such version is available, consider applying general SQL injection mitigation techniques, such as using prepared statements and parameterized queries, to prevent exploitation.