CVE-2025-3143: Apartment Visitor Management SQL Injection

CVE-2025-3143 Overview

CVE-2025-3143 is a SQL injection vulnerability in SourceCodester Apartment Visitor Management System version 1.0. The flaw resides in the /visitor-entry.php script, where the visname and address parameters are passed to backend SQL queries without proper sanitization. An attacker can manipulate these parameters to alter query logic and access or modify database contents. The vulnerability is remotely exploitable and has been publicly disclosed. Multiple parameters in the same endpoint may be affected, expanding the attack surface beyond the two identified fields. The weakness is tracked under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact
Remote attackers with low-privilege access can inject arbitrary SQL statements through the visitor entry form, potentially exposing or tampering with visitor and resident data stored by the application.

Affected Products

Oretnom23 Apartment Visitor Management System 1.0
SourceCodester Apartment Visitor Management System (distribution)
CPE: cpe:2.3:a:oretnom23:apartment_visitor_management_system:1.0

Discovery Timeline

2025-04-03 - CVE-2025-3143 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-3143

Vulnerability Analysis

The vulnerability exists in the visitor entry workflow of the Apartment Visitor Management System. When a user submits the visitor entry form, the /visitor-entry.php script processes the visname (visitor name) and address parameters and concatenates them directly into SQL statements. The application performs no parameterized query binding and no input neutralization. Attackers can break out of the intended string context using single quotes and append additional SQL clauses such as UNION SELECT or boolean-based payloads. Public references on GitHub document working proof-of-concept payloads against both parameters.

Root Cause

The root cause is improper neutralization of user-supplied input before it is incorporated into a SQL query. The visname and address form fields are accepted from the HTTP request and inserted into the SQL string without prepared statements, type checking, or escaping routines. PHP's mysqli_query or equivalent execution path receives a query string influenced by attacker-controlled data, satisfying the conditions of [CWE-74] injection.

Attack Vector

Exploitation requires network access to the web application and a low-privilege authenticated session capable of reaching the visitor entry page. The attacker submits a crafted POST request to /visitor-entry.php with malicious SQL fragments placed in the visname or address fields. Because the application returns query results or differential responses, attackers can extract data through union-based, error-based, or time-based blind techniques. The vulnerability manifests when the modified query executes against the backend database; consult the GitHub SQL Resource 4 and GitHub SQL Resource 5 write-ups for parameter details. No verified exploit code is reproduced here.

Detection Methods for CVE-2025-3143

Indicators of Compromise

HTTP POST requests to /visitor-entry.php containing SQL meta-characters such as ', --, UNION, SELECT, or SLEEP( inside the visname or address parameters.
Web server access logs showing unusually long parameter values or encoded payloads (%27, %20OR%201%3D1) targeting the visitor entry endpoint.
Database error messages referencing syntax errors near visitor fields, indicating failed or successful injection attempts.

Detection Strategies

Deploy web application firewall (WAF) signatures that flag SQL injection patterns on requests targeting /visitor-entry.php.
Enable database query logging and alert on queries containing inline string concatenation that originates from visitor entry sessions.
Correlate authentication events with subsequent injection patterns from the same source IP to identify low-privilege accounts probing the form.

Monitoring Recommendations

Forward web server, application, and database logs into a centralized analytics platform to enable cross-source correlation of injection activity.
Establish baselines for normal request size and parameter content on /visitor-entry.php, then alert on deviations.
Monitor outbound database connections and unexpected data egress that could indicate post-exploitation data extraction.

How to Mitigate CVE-2025-3143

Immediate Actions Required

Restrict network access to the Apartment Visitor Management System so that only trusted users on internal networks can reach /visitor-entry.php.
Disable or take the application offline until a vendor-supplied patch is available, given that the codebase is a known-vulnerable SourceCodester project.
Rotate credentials for the database account used by the application and limit its privileges to the minimum required tables.

Patch Information

No vendor advisory or patch has been published at the time of writing. References tracked in VulDB #303048 and the SourceCodester project page should be reviewed for any subsequent updates. Organizations relying on this application should plan migration to a maintained alternative.

Workarounds

Place the application behind a WAF configured with SQL injection rule sets that inspect POST bodies on the visitor entry endpoint.
Modify the source code to replace inline SQL concatenation with parameterized queries using mysqli_prepare or PDO prepared statements with bound parameters.
Apply server-side input validation to reject characters and keywords not expected in name and address fields before they reach the database layer.

bash

# Example nginx rule to block obvious SQLi patterns on the visitor entry endpoint
location = /visitor-entry.php {
    if ($args ~* "(union.*select|select.*from|sleep\(|--|;)") {
        return 403;
    }
    if ($request_body ~* "(union.*select|select.*from|sleep\(|--)") {
        return 403;
    }
    proxy_pass http://backend;
}