SourceCodester File Tracker Manager System POST Parameter login.php sql injection
Description
A vulnerability was found in SourceCodester File Tracker Manager System 1.0. It has been classified as critical. Affected is an unknown function of the file /file_manager/login.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222648.
Affected products
1- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the username POST parameter allows SQL injection."
Attack vector
An attacker sends a crafted POST request to /file_manager/login.php with a malicious payload in the username parameter [ref_id=1]. The application does not sanitize or parameterize the input, so the payload is concatenated directly into a SQL query. By injecting a single quote followed by SQL control characters, the attacker can break out of the intended query structure. Time-based blind injection is demonstrated using a sleep(20) payload, confirming the vulnerability is exploitable remotely without authentication [ref_id=1].
Affected code
The vulnerable file is /file_manager/login.php, specifically the handling of the POST parameter 'username' [ref_id=1]. The researcher identifies this as the "Vulnerability File" and the parameter where SQL injection occurs.
What the fix does
No patch has been published by the vendor. The advisory does not include a fix commit or updated version [ref_id=1]. Remediation would require replacing dynamic SQL string building with parameterized queries (prepared statements) for the username input in /file_manager/login.php, and applying strict input validation or escaping for all user-supplied data.
Preconditions
- networkAttacker must be able to send HTTP POST requests to the target server.
- inputNo authentication required; the login page is publicly accessible.
Reproduction
1. Send a POST request to /file_manager/login.php with `username=a'&password=b`. The server returns an SQL error, confirming injection. 2. Send a second POST request with `username=a' and (select 1 from (select(sleep(20)))a)-- a&password=b`. The server response is delayed by approximately 20 seconds, confirming time-based blind SQL injection [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/godownio/bug_report/blob/main/vendors/hemedy99/File%20Tracker%20Manager%20System/SQLi-1.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.