SourceCodester Advanced School Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SourceCodester Advanced School Management System version 1.0. The issue arises in the file '/index.php/stock/item_select', where the 'q' GET parameter is not properly sanitized before being used in an SQL query. This vulnerability allows authenticated attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, enabling attackers to interfere with database operations. This could result in unauthorized data access, modification, or disruption of service.

Reproduction

To reproduce this vulnerability, log into the application with valid credentials. Then, access the '/index.php/stock/item_select' endpoint with a crafted 'q' parameter that includes malicious SQL payloads, such as time-based blind injection techniques. The server's response time can be observed to confirm the vulnerability. Similarly, the '/index.php/stock/vendordetails' endpoint can be tested using the 'id' parameter with equivalent SQL injection payloads.

Remediation

Developers are advised to use prepared statements with parameterized queries to prevent SQL injection, implement strict input validation, apply the principle of least privilege for database user accounts, and consider using a web application firewall as an additional layer of defense.