code-projects Online Student Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in code-projects Online Student Management System version 1.0. The issue arises in the Login component, specifically within the accounts.php file. The vulnerability allows remote attackers to manipulate the username and password parameters, leading to unauthorized access and potential database compromise.

Impact

Exploitation of this vulnerability can bypass authentication, allowing attackers to gain unauthorized access. Additionally, it could lead to unauthorized disclosure, modification, or deletion of sensitive database information. Depending on the privileges of the compromised account, there could be full database access.

Reproduction

To reproduce this vulnerability, send typical SQL injection payloads through the username and password fields in the login form. For example, input a username of ' OR '1'='1' -- to bypass authentication. Alternatively, SQL injection payloads can be appended to ID-based parameters in the application's endpoints to extract data from the database.