Skip to main content
CVE Vulnerability Database

CVE-2025-9150: Dormitory Management PHP SQL Injection Flaw

CVE-2025-9150 is a SQL injection vulnerability in Surbowl dormitory-management-php affecting the violation_add.php file. Remote attackers can exploit this flaw to manipulate database queries. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-9150 Overview

CVE-2025-9150 is a SQL injection vulnerability in Surbowl dormitory-management-php, an open-source dormitory management application written in PHP. The flaw exists in /admin/violation_add.php, where the id parameter is concatenated into a SQL statement without proper sanitization. Remote attackers can manipulate the id argument to inject arbitrary SQL syntax. The project follows a rolling release model up to commit 9f1d9d1f528cabffc66fda3652c56ff327fda317, and the affected product is no longer supported by the maintainer. A public exploit has been disclosed through VulDB and GitHub.

Critical Impact

Remote attackers can execute arbitrary SQL queries against the backend database without authentication context validation, exposing dormitory records and administrative data.

Affected Products

  • Surbowl dormitory-management-php (rolling release up to commit 9f1d9d1f528cabffc66fda3652c56ff327fda317)
  • Affected file: /admin/violation_add.php
  • Product is no longer supported by the maintainer

Discovery Timeline

  • 2025-08-19 - CVE-2025-9150 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-9150

Vulnerability Analysis

The vulnerability resides in the violation_add.php script located in the /admin/ directory of the Surbowl dormitory management application. The script accepts an id parameter via the query string, as seen in the request /admin/violation_add.php?id=2. The application embeds this user-controlled value directly into a SQL statement without parameterized queries or input filtering.

This pattern matches [CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)]. Attackers can append SQL clauses such as UNION SELECT payloads, boolean-based blind injection vectors, or time-based delay functions. Because the endpoint lives under /admin/, successful exploitation may yield access to violation records, student records, and administrator credential hashes stored in the backing MySQL database.

Root Cause

The root cause is the absence of prepared statements or input validation when constructing SQL queries with the id parameter. PHP applications using legacy mysql_query or unparameterized mysqli_query calls with concatenated user input are inherently vulnerable to this class of attack.

Attack Vector

Exploitation requires only network access to the application's admin path. The attacker submits a crafted HTTP GET request with a malicious id value. According to the NVD entry, no authentication or user interaction is required to trigger the injection, and a public proof of concept is referenced through the GitHub Issue Report and VulDB #320529.

Detection Methods for CVE-2025-9150

Indicators of Compromise

  • HTTP requests to /admin/violation_add.php containing SQL meta-characters such as ', ", --, UNION, SELECT, or SLEEP( in the id parameter.
  • Database error messages or unusually long response times originating from the violation management endpoint.
  • Unexpected outbound queries or schema enumeration patterns in MySQL slow query and general logs.

Detection Strategies

  • Deploy WAF rules that inspect query strings for SQL injection signatures targeting violation_add.php.
  • Enable verbose web server access logging and alert on non-numeric values supplied to the id parameter.
  • Correlate web access logs with database audit logs to surface anomalous query structures referencing information_schema or mysql.user.

Monitoring Recommendations

  • Monitor the /admin/ path for requests originating from unauthenticated sessions or unfamiliar source IPs.
  • Track repeated 500-series HTTP responses from violation_add.php, which often indicate injection probing.
  • Review database accounts used by the PHP application for unexpected privilege escalation or data export activity.

How to Mitigate CVE-2025-9150

Immediate Actions Required

  • Restrict access to the /admin/ directory using network ACLs, VPN gating, or HTTP basic authentication at the web server level.
  • Take the application offline if it is exposed to untrusted networks, given that the project is unsupported.
  • Audit the backing database for signs of unauthorized data access or modification.

Patch Information

No vendor patch is available. The maintainer no longer supports Surbowl dormitory-management-php, and the project uses a rolling release model without published versioning. Organizations should plan migration to a supported dormitory management platform. Refer to the VulDB advisory for additional context.

Workarounds

  • Modify violation_add.php locally to use parameterized queries via mysqli_prepare or PDO with bound parameters.
  • Add server-side validation that rejects non-integer values for the id parameter before reaching database code.
  • Place the application behind a Web Application Firewall configured with OWASP Core Rule Set SQL injection rules.
  • Enforce least-privilege database accounts so the PHP user cannot read sensitive tables or execute administrative SQL.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.