search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PHP Address Book sqli vulnerability

Vulnerability Note VU#183692

Original Release Date: 2013-04-05 | Last Revised: 2013-04-05


PHP Address Book web application is vulnerable to multiple sqli injection vulnerabilities.


CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

PHP Address Book 8.2.5 and possibly older versions fail to sanitize input from multiple functions.{insert}&password=pass{insert}{insert}{insert}

Additional information on vulnerable functions can be found at Acadion Security advisory.


A remote unauthenticated attacker may be able to run a subset of SQL commands against the back-end database.


We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information


PHP Address Book Affected

Updated:  April 03, 2013



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 9 AV:N/AC:L/Au:N/C:C/I:P/A:P
Temporal 6.5 E:U/RL:W/RC:UC
Environmental 1.7 CDP:L/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Jurgen Voorneveld of Acadion Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2013-0135
Date Public: 2013-04-05
Date First Published: 2013-04-05
Date Last Updated: 2013-04-05 18:00 UTC
Document Revision: 16

Sponsored by CISA.