CVE-2018-25192

Vulnerability

Overview

The GPS Tracking System version 2.12 contains a SQL injection vulnerability in the username parameter of the login endpoint (login.php). The application fails to properly sanitize user input, allowing an attacker to inject arbitrary SQL commands [1][2]. This flaw exists because the username field is directly concatenated into a SQL query without proper escaping or parameterization.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to login.php with a malicious payload in the username field. For example, submitting '+or+1=1+or+''=' as the username bypasses authentication, resulting in a successful login and session creation [1]. No prior authentication or special network access is required, as the login page is publicly accessible.

Impact

Successful exploitation allows the attacker to gain unauthorized access to the GPS tracking application with the privileges of the first valid user in the database. This could lead to viewing sensitive tracking data, modifying system settings, or further compromising the underlying server [2]. The CVSS v3 score of 8.2 indicates a high severity due to the low complexity and network attack vector.

Mitigation

The vendor has not released a patch for this version, as the project appears to be inactive. Users are advised to upgrade to a maintained fork or implement input validation and parameterized queries to prevent SQL injection. For immediate protection, a web application firewall (WAF) can be configured to block malicious patterns in the username field.