CVE-2025-2812

An unauthenticated attacker sends a crafted GET request to the password-reset information endpoint with a malicious `ilkHarf` parameter. The payload uses SQL comment characters and boolean logic to probe the database character by character without any authentication or prior knowledge [ref_id=1]. The example target URL is `https://otobusfirmasi.com.tr/otobus-bileti/SifremiUnuttum.php` and the vulnerable parameter is `ilkHarf` [ref_id=1]. Because the injection is Boolean-based blind, the attacker observes differences in the server's response (true/false) to infer data from `INFORMATION_SCHEMA.SCHEMATA` and other database tables [ref_id=1].

The vulnerable endpoint is `/otobus-bileti/SifremiUnuttum.php` (password reset page) and the backend handler `SifremiUnuttumBilgi.php` which processes the request. The `ilkHarf` parameter is the injection point [ref_id=1].

The advisory does not include a patch diff or code-level fix details. The remediation guidance is implicit in the CVE assignment and USOM coordination: the vendor (Mydata Bilişim Ltd. Şti) was notified and the vulnerability was disclosed through USOM (Turkey's national CERT) under advisory tr-25-0099 [ref_id=1]. To close the vulnerability, the application must properly neutralize special SQL characters in the `ilkHarf` parameter — typically by using prepared statements, parameterized queries, or strict input validation/escaping before constructing SQL queries [ref_id=1].

Send a GET request to `https://otobusfirmasi.com.tr/otobus-bileti/SifremiUnuttumBilgi.php?TelefonNo=12313131231312313&ilkHarf=a')%20OR%20NOT%20LENGTH(LENGTH((SELECT%20SCHEMA_NAME%20FROM(INFORMATION_SCHEMA.SCHEMATA)LIMIT%200,1)))=1--%20wXyW` with a valid session cookie. Observe the server response for boolean differences to extract database information [ref_id=1].