itsourcecode Student Management System SQL Injection Vulnerability

A SQL injection vulnerability exists in the itsourcecode Student Management System version 1.0, specifically within the file '/ramonsys/facultyloading/index.php'. The vulnerability arises because the application does not properly sanitize or validate the 'id' parameter in GET requests, allowing attackers to inject malicious SQL code. This exploitation can be done remotely and without authentication.

Impact

Exploitation of this vulnerability allows attackers to manipulate SQL queries, potentially leading to unauthorized database access, data leakage, data tampering, and service interruptions.

Reproduction

To reproduce this vulnerability, send a GET request to '/ramonsys/facultyloading/index.php' with the 'view' parameter set to 'addsubject' and the 'id' parameter manipulated to include a SQL injection payload. The injected SQL code can be crafted to, for example, use a time-based blind SQL injection technique by adding a payload that causes the database to pause execution for a few seconds before responding.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.