CVE-2008-7145 in phpAddressBook
Summary
by MITRE
Multiple SQL injection vulnerabilities in index.php in CoronaMatrix phpAddressBook 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) parameters.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/13/2025
The vulnerability identified as CVE-2008-7145 affects the CoronaMatrix phpAddressBook version 2.0, specifically targeting the index.php script which serves as the primary entry point for user authentication and address management functionalities. This critical security flaw manifests as multiple SQL injection vulnerabilities that enable remote attackers to manipulate the underlying database through carefully crafted input parameters. The vulnerability impacts two distinct input vectors within the application's authentication mechanism, specifically the username field and additional parameters that are processed during user session establishment. These injection points represent fundamental flaws in input validation and query construction practices that have persisted in the application's codebase, creating persistent attack surfaces that can be exploited without requiring any prior authentication or privileged access.
The technical exploitation of this vulnerability occurs through the improper handling of user-supplied input within SQL query construction processes. When users provide input through the username or parameter fields, the application fails to properly sanitize or escape these values before incorporating them into database queries. This lack of input validation creates opportunities for attackers to inject malicious SQL code that gets executed by the database engine with the privileges of the application's database user. The vulnerability maps directly to CWE-89 which defines SQL injection as the insertion of malicious SQL code into input fields, and specifically aligns with CWE-20 which addresses improper input validation. Attackers can leverage this flaw to extract sensitive information, modify database records, or potentially escalate privileges within the application's database environment.
The operational impact of this vulnerability extends beyond simple data theft to encompass complete system compromise and unauthorized access to sensitive user information. Remote attackers can exploit these injection points to gain unauthorized access to the address book database, potentially accessing personal contact information, user credentials, and other confidential data stored within the application's repository. The vulnerability affects the application's authentication and authorization mechanisms, potentially allowing attackers to bypass normal access controls and assume the identity of legitimate users. According to ATT&CK framework category T1190, this vulnerability represents a technique for exploiting remote services and can be categorized under T1071.3 for application layer protocol manipulation. The impact is particularly severe given that the vulnerability affects the core authentication functionality of the application, potentially enabling attackers to establish persistent access to the system.
Mitigation strategies for this vulnerability require immediate implementation of proper input validation and parameterized query construction practices. Organizations should implement strict input sanitization measures that filter or escape all user-supplied data before processing, ensuring that special characters commonly used in SQL injection attacks are neutralized. The recommended approach involves transitioning from dynamic SQL query construction to parameterized queries or prepared statements that separate SQL code from data, thereby preventing malicious input from being interpreted as executable code. Security patches should be applied immediately to update the phpAddressBook application to a version that addresses these injection vulnerabilities, while network-level protections such as web application firewalls can provide additional defense-in-depth measures. Regular security assessments and code reviews should be conducted to identify and remediate similar input validation flaws in other application components, with particular attention to the application's database interaction patterns and authentication flows.