PHPGurukul Online Fire Reporting System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Online Fire Reporting System version 1.2. The issue resides in the '/admin/manage-site.php' file, where the 'webtitle' parameter can be manipulated to inject malicious SQL queries. This vulnerability allows attackers to access and manipulate the database, potentially leading to unauthorized data access, data modification, and execution of malicious operations on the server.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to '/ofrs/admin/manage-site.php' with the 'webtitle' parameter. Include a payload that exploits the SQL injection, such as one that uses a time-based blind injection technique, like 'RLIKE SLEEP(5)'. This can be done manually or with a tool like SQLMap, which can automate the exploitation process by injecting the payload and demonstrating the vulnerability, such as by extracting database information.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input is properly sanitized before being used in SQL queries. Minimizing database user permissions can also help reduce the impact of a potential exploitation.