itsourcecode Online House Rental System manage_user.php sql injection
Description
SQL injection in itsourcecode Online House Rental System 1.0 via the id parameter in manage_user.php allows remote unauthenticated database compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in itsourcecode Online House Rental System 1.0 via the id parameter in manage_user.php allows remote unauthenticated database compromise.
Vulnerability
A critical SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. The flaw is located in the manage_user.php file where the id parameter is directly concatenated into SQL queries without sanitization or parameterization [1]. The vulnerable software is the "Online House Rental System Project In PHP With Source Code" available from the vendor's website [1].
Exploitation
The attacker can exploit this vulnerability remotely without requiring authentication [1]. By manipulating the id parameter in an HTTP request (e.g., id=1 AND 7032=7032), the attacker can inject malicious SQL statements [1]. The exploit has been publicly disclosed, including proof-of-concept payloads and sqlmap commands to automate extraction of database contents [1].
Impact
Successful exploitation allows an attacker to perform arbitrary SQL queries against the backend database [1]. This can lead to unauthorized access to sensitive data, modification or deletion of database records, and potentially full system compromise [1]. The impact includes data leakage, data tampering, and service disruption [1].
Mitigation
As of the publication date (2024-06-14), no patched version has been released by the vendor [1]. The affected version remains at V1.0 [1]. The recommended remediation is to use parameterized queries (prepared statements) and validate all user-supplied input, particularly the id parameter in manage_user.php [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.0+ 1 more
- (no CPE)range: = 1.0
- (no CPE)range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `id` parameter in `manage_user.php` allows direct injection of malicious SQL into database queries."
Attack vector
An attacker sends a crafted HTTP request to `manage_user.php` with a malicious `id` parameter, such as `id=1 AND 7032=7032` [ref_id=1]. The application fails to validate or sanitize this input, allowing the attacker to inject arbitrary SQL commands [ref_id=1]. The attack is remotely exploitable and does not require authentication. The vulnerability is boolean-based blind SQL injection, enabling an attacker to extract database contents character by character [ref_id=1].
Affected code
The vulnerability resides in the file `manage_user.php` [ref_id=1]. The `id` parameter is taken directly from user input and used in SQL queries without sanitization or validation [ref_id=1]. No patch is provided in the bundle.
What the fix does
No patch is provided in the bundle. The advisory recommends using prepared statements with parameter binding to separate SQL code from user data, strictly validating and filtering user input, minimizing database user permissions, and conducting regular security audits [ref_id=1]. These measures would prevent the `id` parameter from being interpreted as executable SQL code.
Preconditions
- networkThe attacker must be able to send HTTP requests to the vulnerable `manage_user.php` endpoint.
- authNo authentication is required; the vulnerability is exploitable without logging in.
- inputThe `id` parameter must be accepted by the application and used directly in a SQL query.
Reproduction
1. Identify the target URL: `http://
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/LiuYongXiang-git/cve/issues/1mitreexploitissue-tracking
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.