CVE-2025-64081
📋 TL;DR
This SQL injection vulnerability allows attackers to execute arbitrary SQL commands through the appointmentID parameter in the Patients Waiting Area Queue Management System. Attackers can potentially access, modify, or delete database content. Organizations using this specific software version are affected.
💻 Affected Systems
- SourceCodester Patients Waiting Area Queue Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including patient data exfiltration, system takeover via RCE, and destruction of all healthcare records.
Likely Case
Unauthorized access to patient appointment data, modification of queue information, and potential privilege escalation.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage to the appointments table only.
🎯 Exploit Status
Simple SQL injection via GET/POST parameter. No authentication required. Public exploit details available on Packet Storm.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html
Restart Required: No
Instructions:
1. Check vendor website for updated version. 2. If patch exists, download and replace affected files. 3. Test functionality after update.
🔧 Temporary Workarounds
Input Validation Filter
allAdd parameter validation to only accept numeric values for appointmentID
In /php/api_patient_schedule.php, add: if(!is_numeric($_REQUEST['appointmentID'])) { die('Invalid input'); }
WAF Rule
allBlock SQL injection patterns targeting the appointmentID parameter
Add WAF rule: Detect and block requests containing SQL keywords in appointmentID parameter
🧯 If You Can't Patch
- Block external access to /php/api_patient_schedule.php via firewall rules
- Implement database user with minimal permissions (read-only for this endpoint if possible)
🔍 How to Verify
Check if Vulnerable:
Send request to /php/api_patient_schedule.php?appointmentID=1' OR '1'='1 and check for SQL error or unexpected responseCheck Version:
Check file headers or version.txt if present in application rootVerify Fix Applied:
Test with same payload after fix - should receive error message or no data instead of SQL error📡 Detection & Monitoring
Log Indicators:
- SQL syntax errors in web server logs
- Unusual database queries from web application user
- Multiple failed parameter validation attempts
Network Indicators:
- HTTP requests to /php/api_patient_schedule.php with SQL keywords in parameters
- Unusual database port traffic from web server
SIEM Query:
source="web_logs" AND uri="/php/api_patient_schedule.php" AND (param="*appointmentID*" AND value="*' OR*" OR value="*UNION*" OR value="*SELECT*" OR value="*--*" OR value="*;*" OR value="*/*")