CVE-2020-37051 Overview
Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the feed.php endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters.
Critical Impact
Unauthenticated attackers can extract sensitive database credentials including password hashes through network-accessible SQL injection, potentially leading to complete database compromise and unauthorized system access.
Affected Products
- Online-Exam-System 2015
Discovery Timeline
- 2026-01-30 - CVE CVE-2020-37051 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2020-37051
Vulnerability Analysis
This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL Injection. The flaw exists in the feedback form processing mechanism within the feed.php endpoint of the Online-Exam-System application.
Time-based blind SQL injection is a particularly stealthy attack technique where the attacker infers information from the database by observing response time differences. By injecting SQL statements that cause conditional time delays (typically using functions like SLEEP() in MySQL or WAITFOR DELAY in MSSQL), attackers can extract data one character at a time by measuring whether the application response is delayed.
The network-accessible nature of this vulnerability means attackers can exploit it remotely without requiring any prior authentication or special privileges. This significantly increases the risk exposure for any organization running the affected software in a network-accessible configuration.
Root Cause
The root cause of this vulnerability is the failure to properly sanitize and validate user-supplied input before incorporating it into SQL queries. The feed.php endpoint directly concatenates user input into database queries without implementing parameterized queries or prepared statements, allowing malicious SQL code to be executed by the database engine.
Attack Vector
The attack is conducted over the network with low complexity requirements. An attacker targets the feed.php feedback form endpoint by submitting specially crafted input containing SQL injection payloads. These payloads leverage time-delay SQL functions to create a timing oracle, allowing the attacker to systematically extract database contents including user credentials and password hashes.
The attack does not require any user interaction or prior authentication, making it particularly dangerous for internet-facing deployments. Successful exploitation results in high confidentiality impact as attackers can extract sensitive database information including authentication credentials.
Detection Methods for CVE-2020-37051
Indicators of Compromise
- Unusual response time patterns from the feed.php endpoint, particularly responses with consistent delays (e.g., 5 seconds, 10 seconds)
- Web server logs showing requests to feed.php containing SQL keywords such as SLEEP, WAITFOR, BENCHMARK, or conditional statements
- Database logs indicating execution of time-delay functions originating from the web application
- Multiple sequential requests to the feedback endpoint from the same source with incrementally modified parameters
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns and time-based injection attempts
- Configure database audit logging to alert on execution of time-delay functions and unusual query patterns
- Deploy application-level monitoring to detect abnormal response time distributions for the feedback endpoint
- Utilize intrusion detection systems (IDS) with SQL injection signature rules targeting time-based blind injection techniques
Monitoring Recommendations
- Monitor web application logs for requests containing SQL injection keywords targeting feed.php
- Set up alerting for database queries with unusually long execution times or containing time-delay functions
- Track and analyze response time metrics for the feedback form endpoint to identify timing anomalies
- Implement rate limiting and anomaly detection for repeated requests to the feedback submission endpoint
How to Mitigate CVE-2020-37051
Immediate Actions Required
- Remove or disable the Online-Exam-System feedback functionality until the vulnerability is addressed
- Implement network-level access controls to restrict access to the affected endpoint
- Deploy a Web Application Firewall (WAF) with SQL injection protection rules as an interim measure
- Audit the database for signs of unauthorized access or data exfiltration
Patch Information
No official vendor patch is available for this vulnerability. The Online-Exam-System project is a legacy application from 2015 and may not receive security updates. Organizations using this software should consider migrating to a maintained alternative or implementing custom fixes.
For technical details and exploit information, refer to the Exploit-DB #48560 entry and the VulnCheck SQL Injection Advisory. The source code is available in the GitHub Repository for Project.
Workarounds
- Implement prepared statements with parameterized queries in the feed.php file to prevent SQL injection
- Add input validation and sanitization for all user-supplied data before processing
- Disable or remove the vulnerable feedback functionality if it is not essential to operations
- Place the application behind a reverse proxy with SQL injection filtering capabilities
# Example: Block access to vulnerable endpoint using Apache
# Add to .htaccess or Apache configuration
<Location /feed.php>
Order deny,allow
Deny from all
# Allow only from trusted internal networks if needed
# Allow from 10.0.0.0/8
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
