PHPGurukul Online Fire Reporting System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Online Fire Reporting System version 1.2. The issue resides in the file '/admin/assigned-requests.php', where the 'teamid' parameter is manipulated to inject malicious SQL code. This vulnerability allows attackers to access and manipulate the database, potentially leading to unauthorized data access, data modification or deletion, and exploitation of the underlying system.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation of database contents, and could lead to a complete compromise of the underlying system.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/ofrs/admin/assigned-requests.php' with a crafted 'teamid' parameter that includes a SQL injection payload. The injected SQL code is executed by the application, allowing the attacker to manipulate the database. This vulnerability can be exploited using automated tools like SQLMap.

Remediation

It is recommended to update the application to a version that addresses this vulnerability. If no update is available, consider applying input validation and sanitization measures for the 'teamid' parameter to prevent SQL injection. Additionally, review database access permissions and restrict them to the minimum necessary.