SourceCodester Best House Rental Management System payment_report.php sql injection
Description
A vulnerability classified as critical has been found in SourceCodester Best House Rental Management System 1.0. Affected is an unknown function of the file payment_report.php. The manipulation of the argument month_of leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-268794 is the identifier assigned to this vulnerability.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and lack of prepared statements allow SQL injection via the `month_of` parameter in `payment_report.php`."
Attack vector
An attacker sends a crafted HTTP GET request to `/payment_report.php?month_of=` with a malicious payload in the `month_of` parameter [ref_id=1]. The parameter is directly embedded into the SQL query, allowing the attacker to break out of the string literal and inject arbitrary SQL commands [ref_id=1]. The attack is remotely exploitable over the network with no authentication required, and a public PoC payload (e.g., `month_of=2024-06' UNION ALL SELECT ...`) has been disclosed [ref_id=1].
Affected code
The vulnerable code is in `payment_report.php`. The SQL query directly interpolates the `$month_of` parameter without sanitization: `$payments = $conn->query("SELECT p.*, ... WHERE date_format(p.date_created,'%Y-%m') = '$month_of' ORDER BY ...")` [ref_id=1]. The `$month_of` value originates from `$_GET['month_of']` with no prepared statement or escaping [ref_id=1].
What the fix does
No patch has been published by the vendor. The advisory [ref_id=1] identifies that the root cause is the direct inclusion of user-supplied `$month_of` into the SQL query string without sanitization or use of prepared statements. The recommended remediation is to replace the vulnerable dynamic query construction with parameterized prepared statements, which would treat user input as data rather than executable SQL code.
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint /payment_report.php
- authNo authentication or prior access is required
- inputThe month_of parameter must be accepted from user input via $_GET
Reproduction
1. Send a GET request to `http://
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/jadu101/CVE/blob/main/SourceCodester_House_Rental_Management_System_Sqli.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.