CVE-2022-28607
Description
An issue was discovered in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to gain sensitive information via the action parameter to /system/user/modules/mod_users/controller.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An information disclosure flaw in asith-eranga ISIC tour booking (Feb 13 2018) leaks admin usernames, enabling SQLi login bypass and webshell upload leading to RCE.
Vulnerability
An information disclosure vulnerability exists in asith-eranga ISIC tour booking through the version published on February 13, 2018 [1]. The flaw is triggered by sending a POST request to /system/user/modules/mod_users/controller.php with the parameter action=view. This exposes the admin username without authentication, as described in the advisory [1]. The application is written in PHP and uses a vulnerable custom login function in /system/user/modules/mod_users/helper.php that concatenates user input directly into an SQL query, enabling SQL injection [1].
Exploitation
The attacker first exploits the information disclosure by sending a POST request to the vulnerable controller with action=view, retrieving the admin username (e.g., "admin") [1]. Next, the attacker uses SQL injection to bypass the login mechanism. The login function in helper.php constructs an SQL query using the username parameter without sanitization: $this->MDatabase->select($this->table_name, "*", "username='" . $this->username() . "'", "id DESC"). The attacker can inject a UNION SELECT statement to control the returned password hash. For example, submitting username=admin' union select 1,2,3,4,5,6,'0192023a7bbd73250516f069df18b500',8,9 limit 1,1# (where the hash corresponds to "admin123") and password=admin123 yields a successful login, providing a valid authenticated session [1]. With that session, the attacker can upload a webshell via the file manager component at /system/application/libs/js/tinymce/plugins/filemanager/upload.php, after first sending a GET request to dialog.php to set up the session state [1].
Impact
Successful exploitation allows an unauthenticated attacker to gain the admin username, bypass authentication, upload a webshell, and achieve remote code execution (RCE) on the target server. This leads to full compromise of the web application and potentially the underlying host [1].
Mitigation
As of the available references [1], no official patch has been released for this specific version (published Feb 13, 2018). The vendor has not provided a fixed version or disclosure of a security update. Users are advised to upgrade to a later, patched version if available, or remove or restrict access to the vulnerable controller and file upload functionality. Until a fix is applied, the system remains vulnerable to full takeover.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- asith-eranga/ISIC tour bookingdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.