PHPGurukul Online Fire Reporting System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Online Fire Reporting System version 1.2. The issue arises in the file '/admin/team-ontheway-requests.php', where the 'teamid' parameter is manipulated, allowing attackers to inject malicious SQL code. This exploitation can be done remotely, and the vulnerability has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows attackers to inject and execute arbitrary SQL commands, potentially leading to unauthorized database access, data manipulation or deletion, and in some cases, full system control.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/admin/team-ontheway-requests.php' with a crafted 'teamid' parameter that includes SQL injection payloads. The injected SQL code is executed by the application, allowing the attacker to manipulate the database.

Remediation

It is recommended to update to a version of the PHPGurukul Online Fire Reporting System that addresses this vulnerability. Users can also implement input validation and use prepared statements to prevent SQL injection.