A recent discovery has revealed a remote SQL injection vulnerability in Aicte India LMS version 3.0. This vulnerability could potentially expose sensitive data and compromise the security of the platform.
The vulnerability was uncovered by security researcher indoushka, who tested the system on a Windows 10 Pro operating system using Mozilla Firefox version 115.0.2 (64-bit). Aicte India LMS is a learning management system developed by Codecanyon.
The vulnerability can be exploited by an attacker by injecting malicious SQL code into the system. This can be done by accessing the “committee.php?n=ANTI-RAGGING” parameter in the URL. Once this parameter is accessed, the attacker can inject their code, potentially gaining unauthorized access to the database.
To demonstrate the severity of the vulnerability, indoushka provided a proof-of-concept (POC) attack. By using a search engine or Google dorking, an attacker can search for vulnerable instances of Aicte India LMS. Once a vulnerable system is identified, the attacker can use the payload “/committee.php?n=ANTI-RAGGING” to inject their SQL code.
Additionally, indoushka used a tool called sqlmap.py to further demonstrate the exploit. By running the command “sqlmap.py -u http://vtcbcsreduin/committee.php?n=ANTI-RAGGING –tables -D vcbtanyb_auction”, the tool would search for tables in the vulnerable database.
It is important to note that the vulnerability has not been officially confirmed by Aicte India LMS or Codecanyon. However, it is crucial for users and administrators of the platform to be aware of this potential security risk.
If left unaddressed, this vulnerability could result in unauthorized access to sensitive data, such as user information, academic records, and other confidential data stored within the Aicte India LMS database. This can have serious implications for both the platform and its users.
In light of this discovery, users and administrators are advised to take necessary precautions to mitigate the risks associated with this vulnerability. This includes keeping the system up-to-date with the latest security patches, monitoring for any suspicious activity, and regularly backing up important data.
Furthermore, it is recommended to reach out to Aicte India LMS and Codecanyon for further guidance and information regarding this vulnerability. A prompt response from the vendors would provide reassurance to users and demonstrate their commitment to maintaining a secure platform.
In conclusion, the remote SQL injection vulnerability discovered in Aicte India LMS version 3.0 poses a significant risk to the security of the platform. The exploitation of this vulnerability can lead to unauthorized access to sensitive data, potentially compromising the privacy and security of users. Users and administrators are strongly urged to take the necessary steps to address this vulnerability and ensure the protection of their data.