CVE-2025-12326 Overview
A SQL injection vulnerability has been discovered in shawon100 RUET OJ, an online judge system. This vulnerability affects the /process.php file in the POST Request Handler component, where the un parameter is susceptible to SQL injection attacks. The vulnerability allows remote attackers to manipulate database queries by injecting malicious SQL code through user-controlled input, potentially leading to unauthorized data access, modification, or deletion.
Critical Impact
Remote attackers can exploit this SQL injection vulnerability to bypass authentication, extract sensitive database contents, modify or delete data, and potentially gain further access to the underlying system through the publicly available exploit.
Affected Products
- RUET OJ (all versions up to commit 18fa45b0a669fa1098a0b8fc629cf6856369d9a5)
- shawonruet ruet_oj (no formal versioning available)
Discovery Timeline
- 2025-10-27 - CVE-2025-12326 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-12326
Vulnerability Analysis
This vulnerability is classified as SQL Injection (CWE-89) and more broadly as Injection (CWE-74). The flaw exists in the /process.php file, which handles POST requests in the RUET OJ application. When processing the un parameter, the application fails to properly sanitize or parameterize user input before incorporating it into SQL queries. This allows attackers to inject arbitrary SQL statements that are then executed by the database engine.
The exploit has been publicly disclosed, increasing the risk of widespread exploitation. The vendor was contacted regarding this vulnerability but did not respond, leaving no official patch or remediation guidance available. Due to the lack of versioning in this product, it is difficult to determine which releases are affected or unaffected.
Root Cause
The root cause of this vulnerability is improper input validation and lack of parameterized queries in the /process.php POST request handler. The un parameter is directly concatenated or interpolated into SQL statements without sanitization, escaping, or the use of prepared statements. This is a classic example of insecure coding practices that allow user-controlled data to influence database queries.
Attack Vector
The attack can be launched remotely over the network without requiring authentication. An attacker can craft malicious POST requests to /process.php with SQL injection payloads in the un parameter. The vulnerability requires no user interaction to exploit.
The attacker submits a specially crafted POST request to the /process.php endpoint, including SQL injection payloads in the un parameter. Common exploitation techniques include:
- Union-based injection: Extracting data from other database tables by appending UNION SELECT statements
- Boolean-based blind injection: Inferring database contents through true/false responses
- Time-based blind injection: Using database sleep functions to extract data through response timing
- Error-based injection: Leveraging database error messages to reveal schema information
For technical details on the exploitation methodology, refer to the VulDB vulnerability entry.
Detection Methods for CVE-2025-12326
Indicators of Compromise
- Unusual or malformed POST requests to /process.php containing SQL syntax in the un parameter
- Database error messages appearing in application logs or responses
- Unexpected database queries containing UNION, SELECT, OR, AND operators with suspicious patterns
- Authentication bypass attempts or unauthorized access to user accounts
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in POST requests to /process.php
- Monitor application and database logs for SQL error messages and anomalous query patterns
- Implement intrusion detection signatures for common SQL injection payloads targeting the un parameter
- Use runtime application self-protection (RASP) solutions to detect injection attempts
Monitoring Recommendations
- Enable detailed logging for all POST requests to /process.php and review for suspicious patterns
- Set up alerts for database errors that may indicate injection attempts
- Monitor for unusual database activity such as bulk data extraction or schema enumeration queries
- Review web server access logs for repeated requests with varying SQL injection payloads
How to Mitigate CVE-2025-12326
Immediate Actions Required
- Restrict access to the /process.php endpoint using network-level controls or authentication requirements
- Deploy a Web Application Firewall with SQL injection protection rules
- Consider taking the application offline until proper input validation can be implemented
- If possible, implement input validation and parameterized queries in the affected code
Patch Information
No official patch is available from the vendor. The vendor was contacted about this vulnerability but did not respond. Organizations using RUET OJ should implement the workarounds described below or consider migrating to an alternative solution with active security maintenance.
For additional vulnerability information, see the VulDB CTI entry and VulDB submission details.
Workarounds
- Implement a Web Application Firewall (WAF) with SQL injection detection and blocking capabilities
- Add input validation to sanitize the un parameter, allowing only expected characters (alphanumeric, limited special characters)
- Modify the application code to use prepared statements or parameterized queries instead of string concatenation
- Restrict network access to the application to trusted IP ranges only
- Monitor and log all access to /process.php for forensic analysis
# Example WAF rule configuration (ModSecurity)
SecRule ARGS:un "@detectSQLi" \
"id:1001,\
phase:2,\
deny,\
status:403,\
log,\
msg:'SQL Injection attempt detected in un parameter',\
tag:'CVE-2025-12326'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
