Executive Summary

CVE-2025-70152 is a critical vulnerability in the Scholars Tracking System 1.0 affecting the admin user management endpoints `/admin/save_user.php` and `/admin/update_user.php`.

These endpoints lack authentication checks, meaning they do not verify if the user is an admin before allowing access.

Additionally, they directly concatenate user-supplied POST parameters such as firstname, lastname, username, password, and user_id into SQL queries without validation or parameterization.

This combination allows an unauthenticated remote attacker to perform SQL Injection attacks by sending crafted HTTP POST requests, enabling them to execute arbitrary SQL commands on the database.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including:'}, {'type': 'list_item', 'content': 'Full database compromise, allowing attackers to dump all data including admin credentials and personally identifiable information (PII) of users.'}, {'type': 'list_item', 'content': 'Arbitrary data manipulation, such as inserting rogue admin accounts or modifying and deleting existing records.'}, {'type': 'list_item', 'content': 'Potential denial of service caused by malformed SQL queries leading to application errors.'}, {'type': 'list_item', 'content': "Complete loss of confidentiality, integrity, and availability of the system's data."}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted HTTP POST requests to the vulnerable endpoints `/admin/save_user.php` or `/admin/update_user.php` and observing the responses for SQL errors or unexpected behavior.'}, {'type': 'paragraph', 'content': 'A simple detection method is to send a POST request with a single quote character in one of the parameters (e.g., `password`) to trigger a SQL syntax error, which indicates SQL injection.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for SQL injection:'}, {'type': 'list_item', 'content': 'curl -X POST -d "firstname=Test&lastname=Test&username=testuser&password=\'&user_id=1" http://target/admin/save_user.php -v'}, {'type': 'paragraph', 'content': 'If the response contains SQL errors or unusual behavior, it confirms the presence of the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include enforcing authentication checks on the vulnerable endpoints to prevent unauthenticated access.'}, {'type': 'paragraph', 'content': 'Specifically, add session validation at the start of `/admin/save_user.php` and `/admin/update_user.php` to ensure only authenticated admin users can perform actions.'}, {'type': 'list_item', 'content': "Implement session checks such as: `session_start(); if (!isset($_SESSION['admin_id'])) { http_response_code(403); exit('Forbidden'); }`"}, {'type': 'paragraph', 'content': 'Additionally, use prepared statements with parameterized queries to prevent SQL injection by avoiding direct concatenation of user inputs into SQL statements.'}, {'type': 'list_item', 'content': 'Use prepared statements like: `$stmt = $pdo->prepare("INSERT INTO users (firstname, lastname, username, password, role) VALUES (:firstname, :lastname, :username, :password, \'ADMIN\')"); $stmt->execute([...]);`'}, {'type': 'paragraph', 'content': 'Also, securely hash passwords using functions like `password_hash()` and apply least privilege principles to the database user.'}, {'type': 'paragraph', 'content': 'Consider adding CSRF tokens and rate limiting on admin endpoints once authentication is implemented.'}] [1]

Useful 0 Not Useful 0