CVE-2018-18800 in Welcome to our Resort
Summary
by MITRE
The Tubigan "Welcome to our Resort" 1.0 software allows SQL Injection via index.php?p=accomodation&q=[SQL], index.php?p=rooms&q=[SQL], or admin/login.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/30/2025
The vulnerability identified as CVE-2018-18800 resides within the Tubigan "Welcome to our Resort" version 1.0 web application, representing a critical SQL injection flaw that compromises the integrity of the underlying database system. This vulnerability manifests through three primary attack vectors including index.php?p=accomodation&q=[SQL], index.php?p=rooms&q=[SQL], and admin/login.php, all of which accept user input without proper sanitization or validation mechanisms. The software's failure to implement adequate input filtering creates an exploitable condition where malicious actors can inject arbitrary SQL commands directly into the application's query execution flow.
The technical implementation of this vulnerability aligns with CWE-89, which categorizes SQL injection as a direct result of insufficient input validation and sanitization. When users manipulate the query parameters through the specified URLs, the application concatenates these inputs directly into SQL statements without proper escaping or parameterization. This design flaw allows attackers to manipulate the database queries by injecting malicious SQL code that can bypass authentication, extract sensitive data, modify database contents, or even execute destructive operations on the underlying database system. The vulnerability affects both frontend user interfaces and administrative login functionality, expanding the potential attack surface significantly.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with potential persistence mechanisms and privilege escalation capabilities. Successful exploitation could enable unauthorized access to guest information, reservation data, administrative credentials, and other sensitive business data stored within the resort management system. The attack vectors through both the public accommodation and room booking interfaces suggest that even casual users could potentially exploit this vulnerability, while the admin/login.php endpoint provides direct access to administrative functions. This dual exposure creates multiple pathways for attackers to achieve their objectives, whether through reconnaissance, data exfiltration, or system compromise.
Mitigation strategies for this vulnerability must address the fundamental lack of input validation and implement proper parameterized queries throughout the application. Organizations should immediately deploy input sanitization filters that validate and escape all user-supplied data before processing, while implementing prepared statements or parameterized queries to prevent SQL command injection. The remediation process should include comprehensive code review to identify all potential injection points, followed by implementation of proper access controls and authentication mechanisms. Additionally, network-based security controls such as web application firewalls should be configured to detect and block suspicious SQL injection patterns, while regular security assessments should monitor for similar vulnerabilities in other application components. This vulnerability demonstrates the critical importance of following secure coding practices and adhering to industry standards such as those outlined in the OWASP Top Ten and NIST cybersecurity frameworks to prevent such widespread exploitation opportunities.