SourceCodester Gadget Works Online Ordering System POST Parameter login.php sql injection
Description
A vulnerability, which was classified as critical, was found in SourceCodester Gadget Works Online Ordering System 1.0. This affects an unknown part of the file /philosophy/admin/login.php of the component POST Parameter Handler. The manipulation of the argument user_email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222861 was assigned to this vulnerability.
Affected products
1- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `user_email` POST parameter in the login handler allows SQL injection."
Attack vector
An attacker sends a crafted POST request to `/philosophy/admin/login.php` with a malicious `user_email` parameter [ref_id=1]. The payload uses boolean-based blind SQL injection techniques, such as `a' rlike (select (case when (666=666) then 0x61 else 0x28 end))-- b`, to infer database contents based on server response differences [ref_id=1]. A time-based blind payload (`a' and (select 1 from (select(sleep(20)))a)-- a`) is also demonstrated, causing a 20-second server delay [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required [ref_id=1].
Affected code
The vulnerability exists in the file `/philosophy/admin/login.php` of the Gadget Works Online Ordering System [ref_id=1]. The POST parameter `user_email` is processed without proper sanitization, allowing SQL injection [ref_id=1].
What the fix does
No patch or official fix is included in the bundle. The advisory does not provide remediation guidance from the vendor. To close this vulnerability, the application should use prepared statements or parameterized queries for the `user_email` input in the login handler, and apply input validation to reject SQL metacharacters.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the target server.
- authNo authentication is required; the login page is publicly accessible.
Reproduction
1. Send a POST request to `http://
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/heitaoa999/bug_report/blob/main/vendors/janobe/Gadget%20Works%20Online%20Ordering%20System/SQLi-1.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.