CVE-2018-25402
Description
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Open ISES Project 3.30A is vulnerable to unauthenticated SQL injection via the p1 parameter in inc_types_graph.php, allowing data extraction.
Vulnerability
The Open ISES Project version 3.30A (and possibly earlier) contains a SQL injection vulnerability in the inc_types_graph.php script. An unauthenticated attacker can inject arbitrary SQL commands through the p1 GET parameter. The application fails to sanitize user input before incorporating it into SQL queries, leading to improper neutralization of special elements (CWE-89) [1][4].
Exploitation
An attacker can exploit this vulnerability by sending a crafted GET request to inc_types_graph.php with a malicious p1 parameter. No authentication or prior access is required. The exploit-db entry provides a proof-of-concept URL demonstrating the injection point [1]. The attacker can manipulate the SQL query to extract data from the database.
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries, leading to the disclosure of sensitive database information, including schema names, table structures, and stored data. This can compromise the confidentiality of the application's data [4].
Mitigation
The vendor has not released a specific security advisory for this vulnerability. However, the latest stable version available on SourceForge is v3.44.1 [3]. Users are advised to upgrade to the latest version as a potential mitigation, as it may include fixes for this issue. No official workaround has been provided [4].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input from the `p1` parameter (and other parameters) is concatenated directly into SQL queries without sanitization or parameterization."
Attack vector
An unauthenticated attacker can send crafted GET requests to any of the vulnerable endpoints (e.g., `inc_types_graph.php?p1=[SQL]`) with SQL injection payloads in the `p1` parameter [ref_id=1]. The payload uses `EXTRACTVALUE` and `GROUP_CONCAT` to extract schema names and database version information from the MySQL `INFORMATION_SCHEMA.SCHEMATA` table. No authentication or session is required, and the attack is performed over HTTP with a simple URL.
Affected code
The vulnerability exists in multiple PHP scripts of The Open ISES Project 3.30A, including `inc_types_graph.php`, `sever_graph.php`, `city_graph.php`, `nearby.php`, `ajax/form_post.php`, and `add_facnote.php`. These files pass unsanitized user-supplied parameters such as `p1`, `tick_lat`, `tick_lng`, `id`, and `ticket_id` directly into SQL queries.
What the fix does
The advisory does not include a patch or remediation guidance. To fix the vulnerability, the application must sanitize or parameterize all user-supplied input (such as `p1`, `tick_lat`, `tick_lng`, `id`, and `ticket_id`) before including it in SQL queries, for example by using prepared statements or input validation.
Preconditions
- configThe target must be running The Open ISES Project 3.30A with a MySQL backend.
- authNo authentication is required; the vulnerable endpoints are publicly accessible.
- networkThe attacker must be able to send HTTP GET requests to the target server.
- inputThe attacker supplies a malicious SQL payload in the p1, tick_lat, tick_lng, id, or ticket_id query parameter.
Reproduction
Send a GET request to `http://TARGET/[PATH]/inc_types_graph.php?p1=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe`. The server responds with a page containing the extracted database schema names in the error message output [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.