CVE-2020-22165 Scanner

PHPGurukul Hospital Management System is commonly used by hospitals and healthcare facilities for efficient management of patient data, appointments, and billing. Developed using PHP, this system offers a comprehensive solution that aims to streamline hospital administration activities. It is utilized by IT departments in hospitals to ensure data management tasks are performed effectively. The software is appreciated for its user-friendly interface and robust feature set. By automating various hospital processes, it allows healthcare professionals to focus more on patient care. Overall, PHPGurukul Hospital Management System is aimed at improving operational efficiency in hospital settings.

The SQL Injection vulnerability identified in PHPGurukul Hospital Management System allows attackers to manipulate database queries by injecting malicious SQL statements. This vulnerability can be exploited by remote unauthenticated users, making it a critical security issue. Attackers can exploit this flaw to breach the database, potentially leading to unauthorized access to sensitive data. The vulnerability stems from a lack of input sanitization and improper handling of user-supplied data. The user-login.php endpoint is particularly susceptible, where the injection point has been detected. Addressing this vulnerability is crucial to maintain data integrity and secure hospital management operations.

The vulnerability is located in the \hms\user-login.php file of the PHPGurukul Hospital Management System, specifically in version 4.0. The endpoint affected is vulnerable to SQL Injection due to improper input validation. Attackers can inject SQL code into the username field in the login form. This can be demonstrated with a payload that manipulates the SQL query, potentially revealing sensitive database information if successful. As the exploitation does not require authentication, all external users have the potential to attempt to leverage this weakness. Critical data retrieval or modification can result from successful exploitation.

When exploited, this SQL Injection vulnerability can lead to severe consequences such as unauthorized data retrieval, data leakage, and even complete database compromise. It could allow attackers to gain insights into database structure or extract sensitive information, posing risks to patient privacy and hospital data security. Additionally, this compromise may be a precursor to further attacks, potentially targeting other vulnerabilities in the application. Mitigating this threat is crucial to preventing breaches and maintaining trust in hospital data systems.

REFERENCES

• https://github.com/itodaro/PHPGurukul_Hospital_Management_System4.0_cve
• https://nvd.nist.gov/vuln/detail/CVE-2020-22165