PHPGurukul Online Fire Reporting System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Online Fire Reporting System version 1.2. The issue resides in the file '/admin/workin-progress-requests.php', where the 'teamid' parameter can be manipulated to inject malicious SQL code. This vulnerability allows attackers to interfere with SQL queries, potentially leading to unauthorized database access, data manipulation, and execution of malicious operations. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could lead to unauthorized data access, data modification or deletion, and in some cases, executing administrative operations on the database. Such actions could cause significant disruption to the application's functionality and data integrity.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/admin/workin-progress-requests.php' with a crafted 'teamid' parameter that includes malicious SQL payloads. This input is not properly sanitized, allowing the injection of SQL commands that could be executed by the database.

Remediation

It is recommended to update to a version of the PHPGurukul Online Fire Reporting System that addresses this vulnerability. If no such version is available, consider applying general SQL injection mitigation techniques, such as using prepared statements and parameterized queries to ensure user input is properly sanitized before being used in SQL commands.