code-projects Online Examination System SQL Injection Vulnerability in Login Page
Vulnerability
A SQL injection vulnerability has been identified in code-projects Online Examination System version 1.0. The issue arises in the Login Page component, specifically within the index.php file. The vulnerability is triggered by manipulating the User argument, which allows for unauthorized SQL command execution. This vulnerability can be exploited remotely, and a public exploit is available.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a request to the '/onexam/index.php' login page. Manipulate the 'User' argument to inject malicious SQL code. The injection takes advantage of the application's use of deprecated 'mysql_' functions, which are vulnerable to SQL injection attacks.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.