SourceCodester Lost and Found Information System GET Parameter view.php sql injection
Description
A vulnerability classified as critical has been found in SourceCodester Lost and Found Information System 1.0. Affected is an unknown function of the file items/view.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-228888.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Lost and Found Information System 1.0 is vulnerable to SQL injection in items/view.php via the id parameter, allowing remote unauthenticated attackers to extract or modify database contents.
Vulnerability
The SQL injection vulnerability exists in SourceCodester Lost and Found Information System version 1.0, specifically in the file items/view.php. The id GET parameter is passed directly into an SQL query without proper sanitization or parameterization, creating a classic SQL injection flaw (CWE-89). The vulnerable page is accessed via /php-lfis/?page=items/view&id=ID. The vendor homepage is sourcecodester.com and the software link for the affected version is the Lost and Found Information System v1.0 [1].
Exploitation
An attacker can exploit this vulnerability remotely without any authentication or special privileges. The attack requires only that the target application is reachable over HTTP. The proof of concept provided by the discoverer involves visiting the vulnerable page with a crafted id parameter, copying the HTTP request to a text file, and running it through SQLmap for automated exploitation. A sample request targets GET /php-lfis/?page=items/view&id=5 HTTP/1.1 on the localhost [1]. The attacker can manipulate the id parameter to extract database contents, modify data, or perform other SQL commands.
Impact
Successful exploitation allows the attacker to compromise the confidentiality, integrity, and availability of the application's database. This can lead to extraction of sensitive information (such as user credentials, personal data, or system secrets), manipulation of data (inserting, updating, or deleting records), and potential escalation to further attacks depending on the database server's configuration and permissions [1]. The vulnerability is classified as critical due to the broad impact on all three CIA pillars.
Mitigation
As of the publication date (12 May 2023), no official patch has been released by SourceCodester for version 1.0. The vendor has not indicated whether an updated version is planned. Until a fix is available, the only mitigations are to restrict network access to the vulnerable page (e.g., via web application firewall rules or IP whitelisting) and to apply input validation and prepared statements on the id parameter in items/view.php. The vulnerability has been publicly disclosed with a proof of concept, increasing the risk of exploitation [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 1.0
- SourceCodester/Lost and Found Information Systemv5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` GET parameter in `items/view.php` is used directly in an SQL query without input sanitization or parameterization, leading to SQL injection [ref_id=1]."
Attack vector
An attacker sends a crafted HTTP GET request to `/php-lfis/?page=items/view&id=ID` where the `id` parameter contains SQL injection payloads [ref_id=1]. The application does not neutralize special SQL characters in this parameter, allowing the attacker to execute arbitrary SQL commands against the backend database [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required [ref_id=1].
Affected code
The vulnerable file is `items/view.php` in the SourceCodester Lost and Found Information System 1.0. The `id` GET parameter passed to this page is not sanitized before being used in an SQL query [ref_id=1].
What the fix does
No patch has been published by the vendor. The advisory recommends that input to the `id` parameter be properly sanitized or parameterized queries be used to prevent SQL injection [ref_id=1]. Without a fix, the application remains vulnerable to SQL injection attacks that can compromise confidentiality, integrity, and availability of the database [ref_id=1].
Preconditions
- networkThe target must be running SourceCodester Lost and Found Information System 1.0 with the items/view.php page accessible.
- authNo authentication is required; the vulnerable endpoint is publicly accessible.
- networkThe attacker must be able to send HTTP GET requests to the server.
Reproduction
1. Visit the vulnerable page: `/php-lfis/?page=items/view&id=ID` [ref_id=1]. 2. Capture the request and save it to a text file. 3. Run SQLmap against the saved request file to confirm the `id` parameter is injectable [ref_id=1]. The researcher confirmed that the GET parameter `id` is vulnerable [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/tht1997/CVE_2023/blob/main/Lost%20and%20Found%20Information%20System/CVE-2023-2672.mdmitreexploit
- vuldb.commitresignature
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.