███ ███ ██  [REPORT: MyeHalal SQLi Exposure · 2025-06-05]
Origin: Anonymous
Subject: SQL Injection Vulnerability – myehalal.halal.gov.my

Target:
https://myehalal.halal.gov.my

Vulnerability Type:
Unauthenticated SQL Injection → Full Panel Access

Vector:
Login field vulnerable to classic SQLi:
Payload used:
  ' OR '1'='1' -- 

Result:
• Bypass of authentication gate
• Admin-level access to portal dashboard
• Retrieval of user-submitted data without credentials
• Evidence of unsanitized backend queries

Impact:
• Access to thousands of records (halal certification applications)
• Downloadable document archive (PDFs of IDs, business forms, certs)
• No CAPTCHA, WAF, or rate limiting
• Unencrypted data at rest and in transit (expired TLS)
• Database tables: `users`, `applications`, `documents`, `audit_log`

Additional Notes:
• No alert triggered. Session remained active for >15 minutes.
• Logs suggest this vulnerability may have been live for years.
• Exploitation required no tools beyond a browser and Burp.

Proof of Concept:
Login POST with payload:
```sql
username=' OR '1'='1' -- 
password=anything