CVE-2015-2237

Vulnerability

Betster (also known as PHP Betoffice) version 1.0.4 is vulnerable to multiple SQL injection attacks in several endpoints. The id parameter in showprofile.php and categoryedit.php, as well as the username parameter during login via index.php, are not properly sanitized before being used in SQL queries. This allows an attacker to inject arbitrary SQL commands directly into the database query. The vulnerability is present in all installations of version 1.0.4 [1].

Exploitation

Exploitation requires no authentication; the attacker can reach the vulnerable scripts directly from the network. By supplying crafted input to the id parameter (e.g., a numeric value followed by SQL injection syntax like ' OR '1'='1) or to the username field in the login form, the attacker can manipulate the underlying SQL query. For the login endpoint, injecting a malicious payload into the username parameter can bypass authentication entirely, as demonstrated in the public exploit code [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the database backend. Depending on database permissions, this can lead to extraction of all data (including user credentials), modification or deletion of records, and potentially escalate to remote code execution if the database server permits file operations or command execution via SQL. The attacker effectively gains the ability to read, modify, or destroy any data accessible to the database user used by the application [1].

Mitigation

As of the publication date (2015-03-12), no official patch has been released for Betster 1.0.4. The application appears to be abandoned (last update in 2015). Users should immediately isolate any exposed instances, consider migrating to an alternative application, and apply input validation and parameterized queries as a general security measure. The exploit is publicly available and may be used by attackers targeting unpatched systems [1].