PHPGurukul Online Fire Reporting System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Online Fire Reporting System version 1.2. The issue resides in the file '/admin/all-requests.php', where the 'teamid' parameter can be manipulated to inject malicious SQL queries. This vulnerability allows attackers to access and manipulate the database, potentially leading to unauthorized data access, data modification or deletion, and exploitation of the underlying system.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation of database contents, and could lead to a complete compromise of the underlying system.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/admin/all-requests.php' with a crafted 'teamid' parameter that includes a SQL injection payload. The injected SQL code is executed by the application, allowing the attacker to manipulate the database. This vulnerability can be exploited using time-based blind SQL injection techniques, such as injecting a payload that causes the database to pause for a few seconds before responding, indicating that the injection was successful.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection vulnerabilities. Additionally, input validation and filtering should be implemented to ensure that user input conforms to expected formats, blocking malicious data. Finally, database user permissions should be minimized, ensuring that the account used to connect to the database has only the necessary privileges.