CVE-2020-37083
Time-Based Blind SQL Injection in PHP AddressBook photo.php
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php_addressbook | php_addressbook | 9.0.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability. This means that remote attackers can manipulate database queries by injecting specially crafted SQL statements into the 'id' parameter of the photo.php endpoint.
The vulnerability allows attackers to use time delays in their injected SQL to infer information from the database by observing how long the server takes to respond.
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to extract sensitive information from the database without direct access, by exploiting the time delays caused by injected SQL queries.
Because the vulnerability affects confidentiality (as indicated by the CVSS score with high impact on confidentiality), attackers can gain unauthorized access to data, potentially leading to data breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a time-based blind SQL injection in the 'id' parameter of the photo.php endpoint in PHP AddressBook 9.0.0.1. Detection typically involves sending crafted SQL payloads that introduce time delays and observing the response times to identify if the injection is successful.
For example, you can use tools like curl or sqlmap to test the 'id' parameter by injecting SQL statements that cause delays, such as using 'SLEEP()' functions in MySQL.
- Using curl to test the 'id' parameter with a time delay payload: curl 'http://target/photo.php?id=1 AND IF(SLEEP(5),1,0)'
- Using sqlmap to automate detection: sqlmap -u 'http://target/photo.php?id=1' --time-sec=5 --technique=T
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include validating and sanitizing all user inputs, especially the 'id' parameter in photo.php, to prevent SQL injection.
Use prepared statements or parameterized queries to handle database interactions securely.
If possible, update or patch PHP AddressBook to a version where this vulnerability is fixed.
Additionally, consider implementing web application firewalls (WAF) rules to detect and block SQL injection attempts.