itsourcecode Electronic Judging System SQL Injection Vulnerability in edit_judge.php

A SQL injection vulnerability has been identified in the Electronic Judging System by itsourcecode, version 1.0. The issue resides in the file '/admin/edit_judge.php', where the 'judge_id' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized database access, data manipulation, and potential system control.

Impact

Exploitation of this vulnerability allows for SQL injection, with possible consequences including unauthorized database access, data leakage, data manipulation, and in some cases, executing commands on the server.

Reproduction

The vulnerability can be reproduced by sending a request to the '/admin/edit_judge.php' file with a crafted 'judge_id' parameter. This can be done using a web browser or a tool like Burp Suite. The injection can be verified by using payloads that exploit SQL injection, such as boolean-based blind injections or UNION-based injections.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure user input conforms to expected formats. Minimizing database user permissions and conducting regular security audits can also help enhance overall security.