CVE-2019-25446 Overview
DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information.
Critical Impact
Unauthenticated attackers can exploit this SQL injection flaw to extract sensitive data, modify database contents, or potentially compromise the entire backend database system.
Affected Products
- DIGIT CENTRIS ERP (all versions)
Discovery Timeline
- 2026-02-22 - CVE CVE-2019-25446 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2019-25446
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) resides in the /korisnikinfo.php endpoint of DIGIT CENTRIS ERP. The application fails to properly sanitize user-supplied input in the datum1, datum2, KID, and PID POST parameters before incorporating them into SQL queries. This lack of input validation allows attackers to inject arbitrary SQL statements that are executed with the privileges of the database user configured for the application.
The vulnerability is particularly severe because it requires no authentication, meaning any network-accessible attacker can exploit it. Successful exploitation can lead to unauthorized access to sensitive business data, modification of critical records, and potential lateral movement within the organization's infrastructure if database credentials are shared or reused.
Root Cause
The root cause of this vulnerability is improper input validation and failure to use parameterized queries or prepared statements. The application directly concatenates user-controlled input into SQL query strings without adequate sanitization, escaping, or type validation. This is a fundamental secure coding violation that allows attackers to break out of the intended query structure and inject their own SQL commands.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious HTTP POST requests targeting the /korisnikinfo.php endpoint with SQL injection payloads in the vulnerable parameters (datum1, datum2, KID, PID). The injected SQL code is then executed against the backend database.
Common exploitation techniques include:
- Union-based injection - Appending UNION SELECT statements to extract data from other tables
- Error-based injection - Triggering database errors that reveal schema information
- Blind injection - Using boolean or time-based techniques to infer data character by character
- Stacked queries - Executing multiple SQL statements to modify data or database structure
Technical details and proof-of-concept examples can be found in the Exploit-DB #47401 entry and the VulnCheck Advisory.
Detection Methods for CVE-2019-25446
Indicators of Compromise
- Unusual POST requests to /korisnikinfo.php containing SQL syntax keywords such as UNION, SELECT, INSERT, UPDATE, DELETE, or comment sequences (--, /**/)
- Database logs showing malformed queries, syntax errors, or unexpected query patterns
- Anomalous data access patterns in database audit logs, particularly bulk data reads or schema enumeration
- Web application firewall alerts for SQL injection patterns targeting the identified parameters
Detection Strategies
- Deploy Web Application Firewall (WAF) rules specifically targeting SQL injection patterns in the datum1, datum2, KID, and PID parameters
- Implement database activity monitoring to detect anomalous query patterns, unauthorized data access, or schema enumeration attempts
- Configure intrusion detection systems (IDS) to alert on HTTP traffic containing SQL injection payloads targeting the vulnerable endpoint
- Enable verbose logging on the web server and database to capture and correlate suspicious request patterns
Monitoring Recommendations
- Monitor HTTP access logs for POST requests to /korisnikinfo.php with suspicious parameter values
- Set up alerts for database errors that may indicate attempted SQL injection, such as syntax errors or permission denials
- Track database query execution times to detect time-based blind SQL injection attempts
- Implement rate limiting on the vulnerable endpoint to slow down automated exploitation attempts
How to Mitigate CVE-2019-25446
Immediate Actions Required
- Restrict network access to the DIGIT CENTRIS ERP application, limiting exposure to trusted networks only
- Deploy a Web Application Firewall (WAF) with SQL injection protection rules in front of the application
- Review database user privileges and implement principle of least privilege to limit potential damage from SQL injection
- Enable comprehensive logging on both the web server and database to capture exploitation attempts
Patch Information
No vendor patch information is currently available for this vulnerability. Organizations should contact DIGIT directly for remediation guidance or consider the workarounds listed below.
Workarounds
- Implement input validation at the application layer or through a reverse proxy to sanitize the datum1, datum2, KID, and PID parameters
- Deploy a WAF rule to block requests containing SQL injection patterns targeting /korisnikinfo.php
- Restrict database user permissions to read-only access where possible to limit the impact of successful exploitation
- Consider network segmentation to isolate the ERP system from untrusted network segments
# Example WAF rule concept for ModSecurity
# Block SQL injection attempts on vulnerable endpoint
SecRule REQUEST_URI "@contains /korisnikinfo.php" \
"id:100001,phase:2,deny,status:403,msg:'SQL Injection Attempt',\
chain"
SecRule ARGS "@rx (?i)(union|select|insert|update|delete|drop|--|\/\*)" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
