CVE-2026-0851
📋 TL;DR
This SQL injection vulnerability in code-projects Online Music Site 1.0 allows attackers to manipulate database queries through the txtusername parameter in the AdminAddUser.php file. Remote attackers can potentially execute arbitrary SQL commands, leading to data theft, modification, or deletion. All installations of version 1.0 are affected.
💻 Affected Systems
- code-projects Online Music Site
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including admin credential theft, data destruction, and potential server takeover via SQL injection to RCE escalation.
Likely Case
Unauthorized access to user data, admin account creation, and database manipulation.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage to non-critical data.
🎯 Exploit Status
Exploit requires access to the admin interface but SQL injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
No official patch available. Implement input validation and parameterized queries in AdminAddUser.php.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to sanitize txtusername parameter before processing.
Edit /Administrator/PHP/AdminAddUser.php to implement parameterized queries or input filtering
Access Restriction
allRestrict access to the admin interface using IP whitelisting or additional authentication.
Add .htaccess rules or firewall rules to limit access to /Administrator/ directory
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules
- Disable or remove the vulnerable AdminAddUser.php file if not needed
🔍 How to Verify
Check if Vulnerable:
Test the txtusername parameter in /Administrator/PHP/AdminAddUser.php with SQL injection payloads like ' OR '1'='1Check Version:
Check application version in configuration files or admin panelVerify Fix Applied:
Test with SQL injection payloads after implementing parameterized queries; should return error or no database manipulation.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed login attempts to admin interface
- Unexpected database queries from admin user
Network Indicators:
- SQL injection patterns in HTTP POST requests to AdminAddUser.php
- Unusual database connection patterns
SIEM Query:
source="web_logs" AND uri="/Administrator/PHP/AdminAddUser.php" AND (payload="' OR" OR payload="UNION" OR payload="SELECT")