itsourcecode Online Cellphone System Parameter available.php (sql injection)

在 itsourcecode Online Cellphone System 1.0 的 /cp/available.php 文件中（受影响组件为 'Parameter Handler'），发现了一个 SQL 注入漏洞。该漏洞允许远程攻击者操纵 'Name' 参数，从而在系统的数据库上执行恶意 SQL 代码。潜在影响严重，可能导致敏感信息泄露、数据篡改，甚至系统被攻陷。漏洞利用代码的公开增加了被利用的风险。CVSS 分数为 6.3，表明风险等级为中等到高，需要立即关注。

Organizations using itsourcecode Online Cellphone System, particularly those with publicly accessible instances and those that haven't implemented robust input validation practices, are at significant risk. Shared hosting environments where multiple users share the same database are also particularly vulnerable, as a compromise of one user's account could potentially lead to a compromise of the entire database.

• php: Examine web server access logs for requests to /cp/available.php with unusual or malformed Name parameters. Look for patterns indicative of SQL injection attempts (e.g., ';--, UNION SELECT).

grep -i 'available.php.*Name.*(;|--)' /var/log/apache2/access.log

• php: Review the source code of /cp/available.php for instances where the Name parameter is directly incorporated into SQL queries without proper sanitization or parameterization. • generic web: Use a web vulnerability scanner (e.g., OWASP ZAP, Burp Suite) to automatically scan the application for SQL Injection vulnerabilities, focusing on the /cp/available.php endpoint.

1. 2026-04-05Disclosure

   disclosure

1. 已保留2026-04-04
2. 发布日期2026-04-05
3. 修改日期2026-04-06
4. EPSS 更新日期2026-04-12

目前，itsourcecode 尚未提供针对此漏洞的官方修复程序（fix）。 立即的缓解措施是将 itsourcecode Online Cellphone System 1.0 从网络中隔离，以防止远程攻击。 我们强烈建议直接联系 itsourcecode 以请求安全更新。 期间，可以实施额外的安全措施，例如防火墙、入侵检测系统 (IDS)，以及彻底审查源代码以识别和修复 SQL 注入漏洞。 对数据库帐户实施最小权限原则也有助于限制潜在损害。