# ๐Ÿ›ก๏ธ CVE Disclosure: CVE-2025-26198 โ€” SQL Injection in CloudClassroom-PHP-Project **Disclosure Date:** 18 June 2025 **CVE ID:** CVE-2025-26198 **Severity:** CRITICAL (CVSS 9.8) --- ## ๐Ÿงฉ Summary A critical SQL Injection vulnerability exists in `CloudClassroom-PHP-Project v1.0`, specifically within the `loginlinkadmin.php` endpoint. The application directly incorporates unsanitized user inputs into SQL queries, allowing unauthenticated attackers to bypass authentication and gain full administrative access. This issue has been assigned the identifier **CVE-2025-26198**. At the time of public disclosure, **no official patch** was available. --- ## ๐Ÿ“ฆ Affected Product - **Vendor:** Independent (mathurvishal) - **Project:** [CloudClassroom-PHP-Project](https://github.com/mathurvishal/CloudClassroom-PHP-Project) - **Version:** v1.0 - **File:** `loginlinkadmin.php` - **Vulnerable Endpoint:** `http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php` --- ## ๐Ÿ”ฌ Vulnerability Details The admin login mechanism uses unsanitized input directly in SQL queries without any input validation or prepared statements: ```php $query = "SELECT * FROM admin WHERE username='$username' AND password='$password'"; ``` This allows for injection payloads such as: ```sql Username: ' OR '1'='1 Password: [any value] ``` This bypasses authentication logic by evaluating to a true condition, thereby granting access to the admin dashboard. --- ## ๐Ÿ“Œ CWE Classification | CWE ID | Title | |--------|-----------------------------------------------------------------------| | [CWE-89](https://cwe.mitre.org/data/definitions/89.html) | Improper Neutralization of Special Elements used in an SQL Command | --- ## ๐Ÿ“Š CVSS v3.1 Score | Score | Severity | Vector String | |-------|----------|---------------------------------------------| | 9.8 | CRITICAL | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | --- ## ๐Ÿ’ฅ Impact A successful exploitation could result in: - โœ… Full **authentication bypass** - ๐Ÿ”“ **Unauthorized access** to privileged admin features - ๐Ÿ› ๏ธ Potential **data leakage or manipulation** using `UNION`-based SQL injection - โš ๏ธ Full **compromise of the backend database** --- ## ๐Ÿงช Proof of Concept (PoC) ### 1. Clone the Repository ```bash git clone https://github.com/mathurvishal/CloudClassroom-PHP-Project.git ``` ### 2. Host Locally Use XAMPP/LAMP to deploy the project and navigate to: ``` http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php ``` ### 3. Payload Injection Enter the following credentials in the login form: - **Username:** `' OR '1'='1` - **Password:** `[any value]` You will be logged in as the first admin user, verifying successful SQL injection. --- ## ๐Ÿ” Recommendations - โœ… Replace dynamic SQL queries with **prepared statements** (`mysqli_prepare()` or **PDO**). - ๐Ÿ” Perform **input validation and sanitization** for all user inputs. - ๐Ÿงฑ Deploy a **Web Application Firewall (WAF)** to block known SQL injection patterns. - ๐Ÿ›ก๏ธ Conduct **regular code audits** and **penetration testing** for early detection. --- ## ๐Ÿ“† Timeline | Event | Date | |--------------------------|----------------| | Vulnerability Discovered | 14 April 2025 | | Public Disclosure | 18 June 2025 | | Patch Available | โŒ Not available as of disclosure | --- ## ๐Ÿ™‹โ€โ™‚๏ธ Credits This vulnerability was discovered and responsibly disclosed by: **Tansique Dasari** ๐Ÿ”— [GitHub](https://github.com/phantomtrace) โœ‰๏ธ [tansique.d@gmail.com](mailto:tansique.d@gmail.com) --- ## ๐Ÿ”— References - [OWASP - SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) - [PortSwigger - SQL Injection](https://portswigger.net/web-security/sql-injection) - [CloudClassroom GitHub Repository](https://github.com/mathurvishal/CloudClassroom-PHP-Project) - [CVE-2025-26198 on CVE.org](https://cve.org/CVERecord?id=CVE-2025-26198) --- > ๐Ÿ’ฌ *This advisory is published independently due to lack of vendor response.*