VYPR
← All advisories
High severity8.2NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2018-25398

CVE-2018-25398

Description

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Open ISES Project 3.30A via frm_passwd parameter in main.php allows unauthenticated attackers to extract sensitive database data.

Vulnerability

The Open ISES Project version 3.30A is vulnerable to SQL injection in the main.php script. The frm_passwd parameter is unsanitized, allowing unauthenticated attackers to inject arbitrary SQL commands via POST requests. [1][4]

Exploitation

An attacker can send a crafted POST request to main.php with a malicious frm_passwd value. No authentication is required. The exploit-db proof-of-concept demonstrates extracting database information such as usernames, database names, and version details using SQL injection techniques like UNION-based queries. [1]

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries, leading to disclosure of sensitive information (usernames, database schema, etc.). This may potentially escalate to further compromise depending on database permissions. [4]

Mitigation

As of the latest available version (v3.44.1 [3]), the vulnerability appears to be fixed, as the project has advanced beyond 3.30A. Users should upgrade to the latest stable release. No official patch for 3.30A has been released, but upgrading eliminates the vulnerability. [3][4]

References
  1. OffSec’s Exploit Database Archive
  2. Free Open Source Computer Aided Dispatch
  3. The Open ISES Project 3.30A SQL Injection via main.php

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"User-supplied input is directly concatenated into SQL queries without sanitization or parameterization, enabling SQL injection."

Attack vector

An unauthenticated attacker sends crafted HTTP requests to any of the listed PHP endpoints with SQL injection payloads in the vulnerable parameters [ref_id=1]. For example, a POST to `main.php` with a `frm_passwd` value containing a single-quote, parenthesis, and stacked SQL subqueries triggers the injection [ref_id=1]. Because no authentication is required and the application directly concatenates user input into SQL queries, the attacker can extract database contents such as usernames, database names, and version strings via error-based or time-based techniques [ref_id=1].

Affected code

The exploit-db reference [ref_id=1] identifies multiple PHP files that accept unsanitized user input: `main.php` (via the `frm_passwd` POST parameter), `nearby.php` (via `tick_lat` and `tick_lng` GET parameters), `ajax/form_post.php` (via `id` and `ticket_id`), `sever_graph.php`, `inc_types_graph.php`, `city_graph.php` (via `p1`), and `add_facnote.php` (via `ticket_id`). No patch or source code is provided in the bundle, so the exact vulnerable functions are not visible.

What the fix does

The bundle does not include a patch or vendor advisory. The only remediation guidance available is implicit: the application should use parameterized queries (prepared statements) or properly escape/sanitize all user-supplied input before including it in SQL statements. Without a published fix, administrators should apply input validation and use prepared statements in all the identified PHP files [ref_id=1].

Preconditions

  • authNo authentication required; the vulnerable endpoints are publicly accessible
  • networkAttacker must be able to send HTTP requests to the target web server
  • configThe application must be running The Open ISES Project version 3.30A
  • inputAttacker supplies crafted SQL payloads in the vulnerable parameters (e.g., frm_passwd, tick_lat, id, p1, ticket_id)

Reproduction

1. Send a POST request to `http://TARGET/[PATH]/main.php` with body `frm_passwd=') anD (SELect 155 FroM(SELECT COunt(*),COncaT(conCAT(0x203a20,UseR(),DatABASE(),VErSIoN()),0x7e,(seleCT (elT(155=155,1))),0x496873616e2053656e63616e,floOR(RAnd(0)*2))x frOM INFormATION_SchEMA.PLugINS GroUP BY x)a) And ('Efe'='Efe` [ref_id=1]. 2. Alternatively, send a GET request to `http://TARGET/[PATH]/nearby.php?tick_lat=1)%20anD%20EXTRactVALUE(...)` with a crafted extractvalue payload [ref_id=1]. 3. Observe the HTTP response body, which reflects database error messages containing extracted data such as the database user, database name, and MySQL version [ref_id=1].

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.