SourceCodester Lost and Found Information System index.php sql injection
Description
A vulnerability classified as critical was found in SourceCodester Lost and Found Information System 1.0. Affected by this vulnerability is an unknown functionality of the file items/index.php. The manipulation of the argument cid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228781 was assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lost and Found Information System 1.0 has a SQL injection in items/index.php via the cid parameter, allowing unauthenticated remote attackers to extract or modify data.
Vulnerability
Lost and Found Information System version 1.0 contains a SQL injection vulnerability in the file items/index.php. The cid parameter is directly concatenated into a SQL query without sanitization: $category_qry = $conn->query("SELECT * FROM category_list where id = '{$_GET['cid']}'");. An unauthenticated attacker can inject arbitrary SQL commands via this parameter. The application was built with PHP and MySQL [1].
Exploitation
An attacker sends a crafted HTTP GET request to /?page=items&cid=[payload]. The payload is placed in the cid parameter. A proof-of-concept uses a time-based blind technique with AND (SELECT 8856 FROM (SELECT(SLEEP(5)))RZAm) AND 'XJUv'='XJUv to delay the response by 5 seconds, confirming injection. No authentication is required; only network access to the web server is needed [1]. Another injection point exists in classes/Master.php?f=delete_item via a POST parameter id that also allows blind SQL injection [1].
Impact
Successful exploitation allows an attacker to retrieve arbitrary data from the database (e.g., user credentials, application data), modify records, or potentially execute administrative operations. The attacker can use automated tools like sqlmap to dump the entire database. The vulnerability leads to full compromise of the confidentiality and integrity of the application data [1].
Mitigation
The vendor (SourceCodester) has not released an official patch as of the publication date. The software link suggests the application may be unmaintained or a demo project. Users should either remove items/index.php and classes/Master.php from the web root, sanitize the cid parameter (e.g., cast to integer) or apply a Web Application Firewall rule blocking suspicious cid values. No CISA KEV listing was noted for this CVE [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- SourceCodester/Lost and Found Information Systemv5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct concatenation of unsanitized user input (`$_GET['cid']` and `$_POST['id']`) into SQL queries allows SQL injection."
Attack vector
An attacker can exploit the SQL injection by sending a crafted HTTP GET request to `/?page=items&cid=` with a malicious payload such as `' AND (SELECT 8856 FROM (SELECT(SLEEP(5)))RZAm) AND 'XJUv'='XJUv` to trigger time-based blind injection [ref_id=1]. Alternatively, a POST request to `/classes/Master.php?f=delete_item` with a `multipart/form-data` body containing a crafted `id` parameter (e.g., `' AND GTID_SUBSET(CONCAT(...))-- jKyA`) can be used [ref_id=1]. Both attack vectors are remotely exploitable over HTTP with no authentication required.
Affected code
The vulnerability exists in two files. In `items/index.php`, the `cid` parameter from `$_GET` is directly concatenated into a SQL query without sanitization: `$conn->query("SELECT * FROM category_list where id = '{$_GET['cid']}'")` [ref_id=1]. In `classes/Master.php`, the `delete_item()` function uses `extract($_POST)` and then interpolates the `$id` variable unsafely into a DELETE query [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a fix or remediation guidance. To close the vulnerability, the application should use prepared statements or parameterized queries instead of directly interpolating user-supplied input (`$_GET['cid']` and `$_POST['id']`) into SQL strings. Input validation and proper escaping would also mitigate the risk.
Preconditions
- configThe target must be running SourceCodester Lost and Found Information System 1.0
- authNo authentication is required; the vulnerable endpoints are publicly accessible
- networkAttacker must be able to send HTTP requests to the web server
- inputThe `cid` GET parameter or `id` POST parameter must be accepted by the application
Reproduction
1. Send a GET request to `/?page=items&cid=' AND (SELECT 8856 FROM (SELECT(SLEEP(5)))RZAm) AND 'XJUv'='XJUv` with the Host header set to the target IP:port [ref_id=1]. 2. Observe a 5-second delay in the response, confirming time-based blind SQL injection. 3. Alternatively, send a POST request to `/classes/Master.php?f=delete_item` with a `multipart/form-data` body containing `id=' AND GTID_SUBSET(CONCAT(0x717a6a7071,(SELECT (ELT(8125=8125,1))),0x71707a7071),8125)-- jKyA` [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Lost-and-Found-Information-System---Multiple-SQL-injections.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.