CVE-2017-18194
Description
SQL injection vulnerability in users/signup.php in the "signup" component in HamayeshNegar CMS allows a remote attacker to execute arbitrary SQL commands via the "utype" parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in HamayeshNegar CMS signup.php allows remote attackers to execute arbitrary SQL commands via the utype parameter.
Vulnerability
The users/signup.php script in the signup component of HamayeshNegar CMS versions greater than 9.1.3 is vulnerable to SQL injection. The utype parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL commands [1][2].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint. For example, appending ?utype=user' and(select 1 from(select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by 2)b)--+ to the URL extracts the database name [1]. The attacker only needs network access to the target.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands, leading to disclosure of sensitive data from the database, such as user credentials or other confidential information. The attacker can potentially modify or delete data, depending on database permissions.
Mitigation
No official fix or patched version has been disclosed in the available references. Users are advised to apply input validation or parameterized queries to the utype parameter, or to upgrade to a newer version if one becomes available. The vendor homepage is http://www.hamayeshnegar.com/ [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `utype` parameter of `users/signup.php` allows SQL injection."
Attack vector
An unauthenticated remote attacker sends a crafted HTTP GET request to `/users/signup.php` with a malicious `utype` parameter. The parameter value is injected directly into a SQL query, allowing the attacker to append SQL operators and functions such as `' and(select 1 from(select count(*),concat(...))a from information_schema.tables group by 2)b)--+` to extract database names [ref_id=1]. No authentication or special privileges are required; the only precondition is that the target runs HamayeshNegar CMS version >9.1.3 [ref_id=1].
Affected code
The vulnerable file is `users/signup.php` in the "signup" component of HamayeshNegar CMS. The `utype` parameter passed via HTTP GET is directly concatenated into SQL queries without sanitization [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation guidance from the vendor [ref_id=1]. To close the vulnerability, the application should use parameterized queries or prepared statements for the `utype` parameter in `users/signup.php`, or apply strict input validation to reject any non-alphanumeric characters.
Preconditions
- configTarget must be running HamayeshNegar CMS version >9.1.3
- authNo authentication required; the signup endpoint is publicly accessible
- networkAttacker must be able to send HTTP GET requests to the target server
- inputThe utype parameter is accepted without sanitization
Reproduction
1. Identify a target running HamayeshNegar CMS version >9.1.3 (e.g., via the dork `intext:"همایش نگار ( پورتال آنلاین مدیریت و داوری همایش ) ویرایش"`). 2. Append `/users/signup.php?utype=user` to the target URL. 3. To extract the database name, send a request with the payload: `[Site]/users/signup.php?utype=user' and(select 1 from(select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by 2)b)--+` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- cxsecurity.com/issue/WLB-2017090094mitrex_refsource_MISC
- cxsecurity.com/issue/WLB-2018020267mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.