PHPGurukul Beauty Parlour Management System SQL Injection Vulnerability in Book Appointment Feature

A SQL injection vulnerability has been identified in the PHPGurukul Beauty Parlour Management System version 1.1. The issue resides in the 'book-appointment.php' file, where the 'message' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication, potentially leading to unauthorized access and manipulation of the database.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and authorization. This could lead to unauthorized data access, modification or deletion of database records, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to 'book-appointment.php' with a crafted 'message' parameter that includes SQL injection payloads. The injection can be verified by using time-based blind SQL injection techniques, such as adding a payload that makes the database wait for a few seconds before responding.

Remediation

It is recommended to validate and sanitize user inputs, particularly in the 'message' parameter, to prevent SQL injection. Implementing prepared statements and parameterized queries can also help mitigate this vulnerability.