EUVD-2025-17818
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability was found in code-projects School Fees Payment System 1.0 and classified as critical. This issue affects some unknown processing of the file /datatable.php. The manipulation of the argument sSortDir_0 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /datatable.php file where the sSortDir_0 parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the underlying database. The vulnerability has been publicly disclosed with exploit code available, indicating active exploitation risk.
Technical Context
The vulnerability exists in a PHP-based web application (School Fees Payment System) that uses DataTables or similar JavaScript library for server-side data rendering. The sSortDir_0 parameter is a sorting direction argument commonly used in DataTables AJAX requests. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which reflects insufficient input validation and parameterized query usage. The /datatable.php endpoint directly concatenates user-supplied sorting parameters into SQL queries without proper escaping, type casting, or prepared statement implementation. This is a classic second-order injection scenario where user input flows directly into database commands via dynamic query construction.
Affected Products
code-projects School Fees Payment System version 1.0 and potentially earlier/later versions not explicitly listed. The vulnerability affects the /datatable.php endpoint specifically. No CPE string provided in source data, but would be structured as cpe:2.3:a:code-projects:school_fees_payment_system:1.0:*:*:*:*:php:*:*. Affected organizations are educational institutions, schools, and fee collection agencies running this software. The application likely runs on Linux/Windows with PHP 5.6+ and MySQL/MariaDB backend.
Remediation
Immediate actions: (1) Apply vendor patches - contact code-projects for security updates or migrate to patched version if available. (2) Implement Web Application Firewall (WAF) rules to block requests with SQL metacharacters in sSortDir_0 parameter (validate against whitelist: ASC or DESC only). (3) Code-level fix: Replace dynamic query construction with prepared statements using parameterized queries in /datatable.php - validate sSortDir_0 against strict whitelist of 'ASC' or 'DESC' values only before SQL incorporation. (4) Disable DataTables server-side processing if not required; use client-side sorting instead. (5) Implement strict input validation: sSortDir_0 must match regex ^(ASC|DESC)$ case-insensitively. (6) Apply principle of least privilege - database user running PHP application should have SELECT-only permissions, preventing INSERT/UPDATE/DELETE via injection. (7) Monitor database logs for suspicious queries with UNION, SLEEP(), or CAST operators.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today