CVE-2009-4597

PHP Inventory 1.2 - SQL Injection via User ID, Username, or Password Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4597. PoCs published by mr_me.

AI-analyzed exploit summary The document describes an authentication bypass and SQL injection vulnerability in PHP Inventory v1.2, including specific payloads for SQLi and reflected XSS. It provides technical details on how to exploit the flaws but does not include functional exploit code.

Description

Multiple SQL injection vulnerabilities in index.php in PHP Inventory 1.2 allow (1) remote authenticated users to execute arbitrary SQL commands via the user_id parameter in a users details action, and allow remote attackers to execute arbitrary SQL commands via the (2) user (username) and (3) pass (password) parameters. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WRITEUP VERIFIED
by mr_me · textwebappsphp
https://www.exploit-db.com/exploits/10370

The document describes an authentication bypass and SQL injection vulnerability in PHP Inventory v1.2, including specific payloads for SQLi and reflected XSS. It provides technical details on how to exploit the flaws but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Sqli | Auth Bypass | Xss
Complexity
Trivial
Reliability
Reliable
Target: PHP Inventory v1.2
No auth needed
Prerequisites: Access to the target web application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37672
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/10370
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54666

Scores

EPSS 0.0099
EPSS Percentile 57.8%

Details

CWE
CWE-89
Status published
Products (1)
phpwares/php_inventory 1.2
Published Jan 12, 2010
Tracked Since Feb 18, 2026