SourceCodester Faculty Evaluation System manage_academic.php sql injection

Vulnerability

A SQL injection vulnerability exists in SourceCodester Faculty Evaluation System version 1.0 in the /admin/manage_academic.php endpoint. The id parameter is not properly sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL commands. The vulnerability is reachable without authentication, as accessible from /eval/admin/manage_academic.php?id= according to the reference [1]. The application uses PHP with MySQL on XAMPP.

Exploitation

An unauthenticated remote attacker can exploit this by sending a crafted HTTP GET request to /admin/manage_academic.php with a malicious id parameter. The provided proof-of-concept payload injects an updatexml() error-based SQL query to extract database information [1]. No session or prior authentication is required; the SQLi can be triggered with any HTTP client. The attacker simply modifies the id parameter value in the URL and observes the error output.

Impact

Successful exploitation allows an attacker to enumerate database contents, including potentially sensitive user credentials and other data stored in the MySQL database. The reference demonstrates database name extraction via error-based SQL injection [1]. This could lead to further compromise, such as escalating privileges or accessing additional application data.

Mitigation

The vendor has not released a patched version. The only reference [1] does not provide a fix. Users should restrict network access to the /admin/ directory, implement input validation/filtering on the id parameter, or deactivate the vulnerable application until a patch is available. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.