CVE-2019-25530

Vulnerability

Overview The uHotelBooking System, a hotel management and booking platform, contains an SQL injection vulnerability in the system_page GET parameter used in index.php. The application fails to properly sanitize user-supplied input before incorporating it into database queries, allowing an attacker to inject arbitrary SQL commands [1][2]. This is a classic CWE-89 Improper Neutralization of Special Elements used in an SQL Command.

Exploitation

No authentication is required to exploit this flaw. An attacker can send crafted HTTP GET requests to index.php with a malicious system_page value. The provided proof-of-concept uses time-based blind SQL injection — for example, appending 'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z causes a measurable delay if the injection succeeds [2]. This enables the attacker to infer information bit by bit without seeing direct error output.

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive data from the underlying database, including user credentials, personal information, and booking records. The CVSS v3 score of 8.2 (High) reflects the ease of remote exploitation without privileges and the high confidentiality impact [1]. The vendor site was still active at the time of disclosure, but no official patch has been confirmed.

Mitigation

Status As of the advisory, no patch is available for the current version. Operators of uHotelBooking System should implement input validation and parameterized queries for the system_page parameter, restrict direct database access, and consider using a Web Application Firewall (WAF) to block SQLi patterns [1][2].