PHPGurukul Online Fire Reporting System SQL Injection Vulnerability in Add-Team Admin Page

A critical SQL injection vulnerability has been identified in PHPGurukul Online Fire Reporting System version 1.2. The issue arises in the admin add-team.php file, where the teammember parameter is improperly processed, allowing attackers to inject malicious SQL code. This vulnerability can be exploited remotely, potentially leading to unauthorized database access and manipulation.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and authorization. This could result in unauthorized data access, data manipulation or deletion, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to the /ofrs/admin/add-team.php endpoint with the teammember parameter. Include a payload that exploits the SQL injection, such as one that uses time-based blind injection techniques, like causing the database to wait before responding.

Remediation

It is recommended to validate and sanitize user inputs, particularly in the teammember parameter, to prevent SQL injection. Implementing prepared statements and parameterized queries can also help mitigate this vulnerability.