CVE-2018-25401
Description
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Open ISES Project 3.30A is vulnerable to unauthenticated SQL injection via the p1 parameter in sever_graph.php, allowing attackers to extract sensitive database information.
Vulnerability
The Open ISES Project version 3.30A (and possibly earlier) contains a SQL injection vulnerability in sever_graph.php. The p1 parameter is not properly sanitized, allowing unauthenticated attackers to inject arbitrary SQL queries via GET requests [1][4].
Exploitation
An attacker can send a crafted GET request to sever_graph.php with a malicious p1 parameter containing SQL injection payloads. No authentication is required. The Exploit-DB reference provides a proof-of-concept demonstrating the injection through the tick_lat parameter (likely a variant of p1) [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL queries, leading to information disclosure such as database schema names and other sensitive data [4]. The CVSS v4 vector indicates high confidentiality impact and low integrity impact, meaning the attacker can read but not significantly modify data [4].
Mitigation
Upgrade to a version newer than 3.30A, such as v3.44.1 or v4.0, as indicated on the project homepage [3]. The vulnerability is fixed in later releases. No workaround is available for unpatched versions.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 3.30A
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input from the `p1` parameter is concatenated directly into SQL queries without sanitization or parameterization, enabling SQL injection."
Attack vector
An unauthenticated attacker can send crafted GET or POST requests to any of the vulnerable PHP scripts, injecting SQL payloads through parameters like `p1` in `sever_graph.php` [ref_id=1]. The injection uses techniques such as `EXTRACTVALUE` and `GROUP_CONCAT` to extract database schema names, user credentials, and version information. No authentication is required, and the attack is performed over HTTP with no special privileges needed.
Affected code
The vulnerability exists in `sever_graph.php`, `inc_types_graph.php`, `city_graph.php`, `nearby.php`, `ajax/form_post.php`, `add_facnote.php`, and `main.php` within The Open ISES Project 3.30A. These scripts pass unsanitized user input from parameters such as `p1`, `tick_lat`, `tick_lng`, `id`, `ticket_id`, and `frm_passwd` directly into SQL queries.
What the fix does
The advisory does not provide a patch or remediation guidance. To fix the vulnerability, the application must sanitize or parameterize all user-supplied input before including it in SQL queries. Prepared statements or parameterized queries should replace direct string concatenation in every affected script to prevent SQL injection.
Preconditions
- networkThe attacker must be able to send HTTP requests to the target server running The Open ISES Project 3.30A.
- authNo authentication or session is required for exploitation.
Reproduction
Send a GET request to `http://TARGET/[PATH]/sever_graph.php?p1=1'%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe`. The server responds with an HTTP 200 and the response body contains extracted database schema information, confirming the SQL injection [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.