CVE-2026-5666 Overview
A vulnerability was detected in code-projects Online FIR System 1.0. Affected by this issue is some unknown functionality of the file /complaints.sql of the component SQL Database Backup File Handler. The manipulation results in insecure storage of sensitive information. The attack may be performed from remote. The exploit is now public and may be used.
Critical Impact
Sensitive database backup files are publicly accessible, allowing unauthorized remote attackers to download and extract confidential information including user data, FIR records, and potentially authentication credentials stored within the SQL backup file.
Affected Products
- code-projects Online FIR System 1.0
- SQL Database Backup File Handler component
- Web applications using exposed /complaints.sql backup files
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-5666 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-5666
Vulnerability Analysis
This vulnerability falls under the category of Information Exposure (CWE-200), where sensitive information stored in a SQL database backup file is accessible to unauthorized actors. The Online FIR System, designed to manage First Information Reports for law enforcement purposes, improperly exposes its database backup file through a publicly accessible web path.
The core issue stems from the application storing a complete SQL database backup file (complaints.sql) in a location that can be accessed remotely without authentication. This file likely contains the complete database structure, stored procedures, and most critically, all data records including sensitive personal information, case details, and potentially user credentials.
The network-accessible nature of this vulnerability means any remote attacker who discovers the file path can download the complete database backup without requiring any special privileges or user interaction.
Root Cause
The root cause of this vulnerability is improper access control and insecure storage practices for sensitive database backup files. The application stores SQL backup files in a web-accessible directory without implementing proper authentication or access restrictions. This is a common misconfiguration in PHP-based applications where backup files are inadvertently placed within the webroot or lack proper .htaccess protection.
Attack Vector
The attack can be executed remotely over the network with low complexity. An attacker can exploit this vulnerability by:
- Discovering the backup file path through directory enumeration, web crawling, or common file path guessing
- Directly accessing the /complaints.sql endpoint via HTTP request
- Downloading the complete SQL database backup file
- Extracting sensitive information including user records, FIR details, and authentication data
The vulnerability requires no authentication or user interaction, making it trivially exploitable once the file path is known. The exploit has been publicly disclosed, increasing the risk of widespread exploitation.
Detection Methods for CVE-2026-5666
Indicators of Compromise
- Unusual HTTP GET requests to /complaints.sql or similar SQL backup file paths
- Web server logs showing successful downloads of .sql files from unauthorized IP addresses
- Increased outbound data transfer from the web server hosting the FIR System
- Evidence of directory enumeration or file path brute-forcing in access logs
Detection Strategies
- Configure web application firewalls (WAF) to block direct access to .sql file extensions
- Implement log monitoring rules to alert on any requests for database backup files
- Deploy file integrity monitoring (FIM) on sensitive directories to detect unauthorized access
- Use intrusion detection systems to identify patterns of sensitive file enumeration
Monitoring Recommendations
- Enable detailed access logging for the web server and monitor for requests to backup file paths
- Set up alerts for successful HTTP 200 responses to SQL file requests
- Monitor network traffic for large data exfiltration patterns from the affected server
- Regularly audit web server configurations to ensure backup files are not in webroot
How to Mitigate CVE-2026-5666
Immediate Actions Required
- Remove the /complaints.sql file from the web-accessible directory immediately
- Audit the web server for other exposed backup files (.sql, .bak, .dump, etc.)
- Move all database backup files to a location outside the webroot
- Implement proper access controls requiring authentication for sensitive file access
- Review and rotate any credentials that may have been exposed in the backup file
Patch Information
No official patch has been released for this vulnerability. Organizations using the Online FIR System 1.0 should immediately implement the workarounds listed below and contact the vendor for an updated version. Additional technical details are available through VulDB Vulnerability #355489 and the GitHub CVE Project Guide.
Workarounds
- Configure .htaccess to deny direct access to all .sql files within the webroot
- Relocate database backup files to a directory outside the webroot entirely
- Implement web server configuration rules to block requests for backup file extensions
- Use encryption for database backups even when stored in non-public locations
- Deploy a WAF rule to block access patterns associated with backup file enumeration
# Apache .htaccess configuration to block SQL file access
<FilesMatch "\.(sql|bak|dump|backup)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx configuration to deny SQL file access
location ~* \.(sql|bak|dump|backup)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
