code-projects Vehicle Showroom Management System RegisterCustomerFunction.php sql 注入

在code-projects Vehicle Showroom Management System 1.0中发现了一个SQL注入漏洞。该漏洞位于文件/util/RegisterCustomerFunction.php中一个未知的函数中。攻击者可以通过操纵BRANCH_ID参数来注入恶意SQL代码，从而可能导致数据泄露、数据修改或系统被攻陷。CVSS评分是7.3，表明风险级别很高。公开可用的漏洞利用程序大大增加了被利用的风险。

Organizations utilizing the code-projects Vehicle Showroom Management System, particularly those with publicly accessible instances and inadequate input validation measures, are at significant risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user's account could potentially lead to the compromise of the entire system.

• php: Examine web server access logs for requests to /util/RegisterCustomerFunction.php containing unusual characters or SQL keywords in the BRANCH_ID parameter. • generic web: Use curl to test the endpoint with various SQL injection payloads: curl 'http://your-vehicle-showroom-system/util/RegisterCustomerFunction.php?BRANCH_ID=1' UNION SELECT 1,2,3 -- - • generic web: Check response headers for SQL errors or unexpected behavior when injecting SQL payloads. • php: Review the source code of /util/RegisterCustomerFunction.php for insecure SQL query construction.

1. 2026-04-10Disclosure

   disclosure

1. 已保留2026-04-09
2. 发布日期2026-04-10
3. EPSS 更新日期2026-04-17

目前，此漏洞没有官方的修复程序。立即的缓解措施是暂时禁用/util/RegisterCustomerFunction.php中受影响的功能，特别是使用BRANCH_ID参数的函数。强烈建议管理员在可用时升级到打补丁的版本。在此期间，实施Web应用程序防火墙（WAF）并加强数据库安全策略可以帮助降低风险。对所有用户输入进行严格的验证和清理对于防止未来的SQL注入攻击至关重要。