itsourcecode Student Management System SQL Injection Vulnerability

A SQL injection vulnerability exists in the itsourcecode Student Management System version 1.0, specifically within the enrollment index.php file. The vulnerability arises because the application does not properly sanitize or validate the 'id' parameter in GET requests, allowing attackers to inject malicious SQL code. This exploitation can be done remotely and without authentication.

Impact

Exploitation of this vulnerability allows for unauthorized database access, data manipulation, and potential leakage of sensitive information. It poses a significant risk to the overall security of the system and its data integrity.

Reproduction

To reproduce this vulnerability, send a GET request to the '/ramonsys/enrollment/index.php' file with the 'view' parameter set to 'viewsced' and the 'id' parameter manipulated to include a SQL injection payload. The application will execute the injected SQL code, demonstrating the vulnerability.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.