CVE-2018-18801
Description
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL].
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BSEN Ordering software 1.0 suffers from SQL injection in two endpoints, allowing remote unauthenticated attackers to extract database contents.
Vulnerability
The BSEN Ordering software version 1.0 (also referred to as E-Negosyo System) contains a SQL injection vulnerability in two endpoints accessible without authentication. The vulnerable parameters are the id parameter in student/index.php?view=view&id=[SQL] and index.php?q=single-item&id=[SQL]. The application fails to sanitize user-supplied input before constructing SQL queries, allowing an attacker to inject arbitrary SQL commands [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP GET request to either vulnerable endpoint. No authentication or prior user interaction is required. The exploit proof-of-concept demonstrates a blind SQL injection using a UNION-based technique that iterates over database columns to extract schema information. The attacker can use any SQL injection payload, such as the example UNION SELECT payload provided in the public exploit [1]. The vulnerability is remotely exploitable over the network [1][2].
Impact
Successful exploitation allows an attacker to read arbitrary data from the database, including potentially sensitive information such as user credentials, personal data, and application secrets. The attacker does not gain direct file write or remote code execution from this SQL injection, but the information disclosure can lead to further compromise depending on the database contents [1].
Mitigation
No official patch or updated version has been released by the vendor as of the publication date (2018-11-16). The software may be abandoned or end-of-life. Until a fix is available, the only mitigation is to remove or restrict access to the vulnerable endpoints, or implement web application firewall (WAF) rules to block SQL injection patterns. Users are advised to migrate to an alternative solution that is actively maintained [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `id` parameter allows direct embedding of user-controlled data into SQL queries."
Attack vector
An unauthenticated attacker can inject arbitrary SQL commands by appending a malicious payload to the `id` parameter in either `student/index.php?view=view&id=[SQL]` or `index.php?q=single-item&id=[SQL]` [ref_id=1]. The provided proof-of-concept demonstrates a UNION-based injection that extracts database schema information, including table and column names, by sending a crafted HTTP GET request [ref_id=1]. No authentication or special privileges are required; the attacker only needs network access to the web application.
Affected code
The vulnerable parameters are the `id` parameter in `student/index.php?view=view&id=` and the `id` parameter in `index.php?q=single-item&id=`. The application fails to sanitize user-supplied input before using it in SQL queries [ref_id=1].
What the fix does
No patch or official fix is included in the bundle. The advisory does not provide remediation guidance beyond the disclosure of the vulnerability [ref_id=1]. To close the vulnerability, the application should use prepared statements or parameterized queries for all database interactions involving user-supplied input, and should validate or sanitize the `id` parameter to ensure it contains only expected values (e.g., integers).
Preconditions
- networkThe attacker must have network access to the web application's HTTP endpoint.
- authNo authentication or session is required; the vulnerable endpoints are publicly accessible.
- configThe application must be running the BSEN Ordering software version 1.0 with the vulnerable PHP files in place.
- inputThe attacker supplies a malicious SQL payload via the 'id' GET parameter.
Reproduction
1. Identify the target URL running BSEN Ordering software 1.0. 2. Send a GET request to `http://target/[PATH]/student/index.php?view=view&id=[SQL]` or `http://target/[PATH]/index.php?q=single-item&id=[SQL]`, replacing `[SQL]` with a malicious SQL payload (e.g., a UNION SELECT statement). 3. Observe the response; injected data from the database will be reflected in the HTML output, confirming SQL injection [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/45730/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/150017/E-Negosyo-System-1.0-SQL-Injection.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.