ProjectsAndPrograms School Management System SQL Injection Vulnerability in buslocation.php

A critical SQL injection vulnerability has been identified in the ProjectsAndPrograms School Management System, specifically in the buslocation.php file within the student_panel directory. This vulnerability exists in versions prior to the commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue arises because the application fails to properly sanitize or parameterize user input in the bus_id HTTP GET parameter, allowing remote attackers to manipulate the input and execute arbitrary SQL commands. Exploitation of this vulnerability is straightforward and does not require authentication.

Impact

Exploitation of this vulnerability allows remote attackers to execute arbitrary SQL commands, bypassing normal database query logic. This could lead to unauthorized access to sensitive data, such as user credentials and personal information, as well as the potential to modify or delete database records, disrupting the application's data integrity and availability.

Reproduction

To reproduce this vulnerability, send a GET request to the buslocation.php file in the student_panel directory, including a crafted bus_id parameter that exploits the SQL injection flaw. The injection can be verified by extracting database information, such as the database name, which will be displayed on the page.