Code-Projects Student Web Portal SQL Injection Vulnerability in Signup.php

A SQL injection vulnerability has been identified in Code-Projects Student Web Portal version 1.0, specifically within the signup.php file. The issue arises from inadequate validation of the 'reg_passwd' parameter, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication, potentially leading to unauthorized access to the database, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation or deletion of data, leakage of sensitive information, and could disrupt overall system services.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'signup.php' with the 'reg_passwd' parameter crafted to include malicious SQL. This injected SQL can be designed to, for example, delay the response by several seconds, indicating successful exploitation.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection, validate and filter input data, and minimize database permissions for the accounts used to connect to the database.