CodeAstro Simple Attendance Management System SQL Injection Vulnerability Allowing Authentication Bypass

A SQL injection vulnerability has been identified in CodeAstro Simple Attendance Management System version 1.0. This vulnerability allows remote, unauthenticated attackers to bypass authentication by exploiting the username parameter in the login form of index.php. The vulnerability arises because the application concatenates the username directly into a MySQL query without proper sanitization or the use of prepared statements. As a result, an attacker can inject a crafted SQL payload to gain unauthorized access.

Impact

Exploitation of this vulnerability allows for authentication bypass, granting full administrative access to the application. This includes access to all attendance records, with the ability to manipulate data as needed. The vulnerability requires no authentication, making it easily exploitable by anyone.

Reproduction

To reproduce this vulnerability, navigate to the login page of the application. Enter 'admin' followed by a SQL injection payload, such as 'admin'--, in the username field. Leave the password field blank or enter any value. Submit the login form. The injection bypasses authentication, granting access to the admin panel.

Remediation

To address this vulnerability, update the SQL query in index.php to use prepared statements instead of concatenating user input directly into the query. This can be done using the MySQLi or PDO extension, which provide methods for safely binding parameters and executing queries.