CVE-2024-25217
Description
Online Medicine Ordering System v1.0 has an unauthenticated SQL injection in the view_product endpoint, allowing database compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Online Medicine Ordering System v1.0 has an unauthenticated SQL injection in the view_product endpoint, allowing database compromise.
Vulnerability
Online Medicine Ordering System version 1.0 (PHP/MySQL) contains a SQL injection vulnerability in the /omos/?p=products/view_product endpoint. The id parameter is directly concatenated into a SQL query without sanitization or parameterization, as demonstrated in the public proof of concept [1]. This affects all installations of version 1.0.
Exploitation
The vulnerability is exploitable by an unauthenticated attacker with network access to the application. The attacker can trigger the injection by manipulating the id GET parameter in the product view page. A logged Burp request in the advisory demonstrates capturing the request and using sqlmap with --risk 3 --level 5 against the id parameter, confirming both boolean-based blind and time-based blind injection vectors [1].
Impact
Successful exploitation allows an attacker to extract arbitrary data from the database, including user credentials and other sensitive information. The advisory demonstrates retrieving the current database. Since the application runs on MySQL, an attacker could escalate this to file read/write or execute system commands if database user privileges permit, leading to full compromise of the application and underlying server [1].
Mitigation
As of the publication date (2024-02-14), no official patch or fixed version has been released by the vendor. The software is no longer actively maintained (sourcecodester page may be taken down). Users should immediately take the application offline, migrate to a supported solution, or implement a web application firewall (WAF) rule to block malicious id parameter values. Input validation and prepared statements should be applied to all database queries [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Online Medicine Ordering System/Online Medicine Ordering Systemdescription
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` parameter in the product view endpoint is directly concatenated into a SQL query without sanitization or parameterization, allowing SQL injection."
Attack vector
An unauthenticated attacker can exploit this SQL injection by sending a crafted GET request to `/omos/?p=products/view_product&id=4` with malicious SQL payloads in the `id` parameter [ref_id=1]. The advisory demonstrates both boolean-based blind and time-based blind injection techniques, confirming the parameter is vulnerable. The attacker does not need any authentication or special privileges. Using sqlmap with the `id` parameter at risk 3 and level 5, the attacker can enumerate the database, as shown by the successful extraction of the current database name `omos_db` [ref_id=1].
Affected code
The vulnerability exists in the `/omos/?p=products/view_product` endpoint, which takes an `id` GET parameter. The researcher's proof-of-concept shows the `id` parameter is directly interpolated into a SQL query without sanitization [ref_id=1]. The specific file handling this request is not named in the advisory, but the vulnerable code path is the product view functionality.
What the fix does
No patch or fix is provided in the advisory. The vendor (SourceCodester) has not published a remediation for this vulnerability. To close the SQL injection, the application should use prepared statements with parameterized queries for the `id` parameter in the product view functionality, or at minimum apply strict input validation to ensure the `id` parameter is an integer [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint
- authNo authentication or session is required
- inputThe id parameter must accept arbitrary input (no input validation in place)
Reproduction
1. Navigate to `http://localhost/omos/?p=products` and select any product. 2. Capture the resulting GET request (e.g., `GET /omos/?p=products/view_product&id=4`) using Burp Suite. 3. Save the request to a file (e.g., `r.txt`). 4. Run sqlmap: `sqlmap -r r.txt -p id --risk 3 --level 5 --dbms mysql --batch --current-db` 5. sqlmap will confirm the `id` parameter is injectable (boolean-based blind and time-based blind) and dump the current database (e.g., `omos_db`) [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.