SourceCodester Lost and Found Information System sql injection
Description
A vulnerability classified as critical has been found in SourceCodester Lost and Found Information System 1.0. Affected is an unknown function of the file /classes/Master.php?f=delete_item. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-228780.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical SQL injection vulnerability in SourceCodester Lost and Found Information System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the delete_item endpoint.
Vulnerability
In SourceCodester Lost and Found Information System version 1.0, the file /classes/Master.php contains an unknown function accessible via the f=delete_item parameter. This endpoint does not properly sanitize user-supplied input passed via the id POST parameter, leading to a classic SQL injection vulnerability. The code directly concatenates the user input into a SQL query without parameterization or escaping. The vulnerability is confirmed in the publicly available exploit proof-of-concept [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring any authentication or prior privileges. The attack is performed by sending a crafted POST request to /classes/Master.php?f=delete_item with a malicious id parameter containing SQL injection payloads. The exploit does not require any user interaction and can be executed over the network with a simple HTTP request. The provided proof-of-concept demonstrates the use of a time-based blind SQL injection payload (e.g., using AND GTID_SUB...) to extract information from the database [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the backend database. This can lead to full disclosure of sensitive data stored in the database, such as user credentials, personal information, or lost-item records. The attacker may also be able to modify or delete data, potentially compromising the integrity and availability of the application. Since the application runs with the database server's privileges, the impact could extend to the underlying system depending on the database configuration [1].
Mitigation
As of the publication date of this CVE (May 11, 2023), no official patch has been released by SourceCodester. The vendor has not provided a fixed version. The recommended mitigation is to immediately disconnect the vulnerable system from untrusted networks or take it offline until a patch is available. For code-level remediation, developers should replace all dynamic SQL queries with parameterized prepared statements or use an ORM library that safely handles user input. Input validation and escaping alone are insufficient to fully prevent SQL injection [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 1.0
- SourceCodester/Lost and Found Information Systemv5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `delete_item()` function allows direct SQL injection via the `id` POST parameter."
Attack vector
An attacker sends a POST request to `/classes/Master.php?f=delete_item` with a crafted `id` parameter in the multipart form body. The `id` value is directly concatenated into a DELETE SQL statement, allowing time-based blind SQL injection via payloads such as `' AND GTID_SUBSET(CONCAT(...))--` [ref_id=1]. The attack is remotely exploitable with no authentication required.
Affected code
The vulnerable function is `delete_item()` in `/classes/Master.php`. The code directly interpolates the `$id` POST parameter into a SQL query without sanitization: `$del = $this->conn->query("DELETE FROM \`item_list\` where id = '{$id}'");` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include remediation guidance. To fix the vulnerability, the application should use prepared statements or parameterized queries instead of string interpolation, and validate that the `id` parameter is a numeric value before using it in the query.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the target server.
- authNo authentication is required; the vulnerable endpoint is publicly accessible.
- inputThe attacker controls the 'id' POST parameter value.
Reproduction
Send a POST request to `/classes/Master.php?f=delete_item` with a multipart/form-data body containing the `id` parameter set to a SQL injection payload, for example: `' AND GTID_SUBSET(CONCAT(0x717a6a7071,(SELECT (ELT(8125=8125,1))),0x71707a7071),8125)-- jKyA` [ref_id=1]. The full HTTP request with headers is provided in the reference write-up [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Lost-and-Found-Information-System---Multiple-SQL-injections.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.