SourceCodester CET Automated Grading System Information Disclosure Vulnerability

An information disclosure vulnerability exists in SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0. The issue arises in the SQL Handler component, specifically within an unknown function of the file '/index.php'. This vulnerability allows remote authenticated attackers to manipulate input and expose sensitive information through detailed SQL error messages. The error messages can reveal backend database information, including SQLSTATE responses, database engine details, query behavior, PDO exceptions, and MariaDB/MySQL error data.

Impact

Exploitation of this vulnerability leads to the unintentional exposure of sensitive database error information, which could be leveraged for further attacks, such as SQL injection.

Reproduction

To reproduce this vulnerability, authenticate as a user and navigate to the 'manage_subjects' action in 'index.php'. Submit a POST request with oversized parameters in the 'program' field. The server response will include verbose SQL error details, demonstrating the information disclosure.

Remediation

Disable detailed database error messages in the production environment. Implement centralized exception handling to manage errors more securely. Ensure that only generic error messages are returned to users, while logging detailed error information securely on the server.