| Title | MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 SQL Injection |
|---|
| Description | The Online College Event Hall Reservation System demonstrates a significant SQL Injection vulnerability within its `/admin/update-rooms.php` script. This vulnerability arises from the application's handling of the `room_id` parameter, where user input is directly incorporated into an SQL query without proper sanitization or preparation. As shown in the provided proof of concept, attackers can exploit this flaw to execute arbitrary SQL commands, such as delaying the server response with a `sleep(5)` function. This issue highlights the critical need for using parameterized queries or other secure coding practices to protect the database from SQL Injection attacks, ensuring the integrity and security of the application's data. |
|---|
| Source | ⚠️ https://github.com/skid-nochizplz/skid-nochizplz/blob/main/TrashBin/CVE/MAGESH-K21%20%20Online-College-Event-Hall-Reservation-System/SQL%20Injection%20-%20update-rooms.php.md |
|---|
| User | nochizplz (UID 64302) |
|---|
| Submission | 03/08/2024 05:37 (2 years ago) |
|---|
| Moderation | 03/15/2024 17:29 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 256965 [MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0 /admin/update-rooms.php room_id sql injection] |
|---|
| Points | 20 |
|---|