The Campcodes Online Hospital Management System (OHMS) version 1.0 is vulnerable to multiple SQL Injection (SQLi) attacks in its administrative reporting functionality, specifically in the /admin/betweendates-detailsreports.php endpoint. The vulnerability arises because the 'fromdate' and 'todate' POST parameters are not properly sanitized or validated before being incorporated into SQL queries. This allows an attacker to inject malicious SQL payloads that can manipulate the database query execution. The 'fromdate' parameter is susceptible to time-based blind SQL injection, enabling attackers to infer database information by causing deliberate delays (e.g., using the MySQL SLEEP() function). The 'todate' parameter is vulnerable to both boolean-based blind SQL injection and UNION-based SQL injection, allowing attackers to extract data by crafting queries that return true/false conditions or combine results from multiple queries. Exploit code demonstrates the use of automated tools like sqlmap to confirm and exploit these vulnerabilities. The affected system is built using PHP and MySQL, running on Linux (Ubuntu 23.10 tested). The SQLi vulnerabilities can be exploited without authentication, as the exploit targets the admin report page, which may be accessible to authenticated users or potentially exposed due to misconfigurations. No official patches or fixes are currently available from the vendor. The CVE identifier assigned is CVE-2025-5298, but no CVSS score has been published. The exploit code is provided as text-based payloads suitable for use with sqlmap or manual injection attempts.

For European organizations using the Campcodes OHMS 1.0, this SQL injection vulnerability poses significant risks to confidentiality, integrity, and availability of sensitive healthcare data. Attackers could extract patient records, administrative data, and other confidential information, violating GDPR and other data protection regulations. The ability to perform UNION-based queries and time-based blind injections means attackers can systematically enumerate database schema and contents, potentially leading to full database compromise. Integrity risks include unauthorized modification or deletion of records, which could disrupt hospital operations and patient care. Availability could be impacted if attackers execute resource-intensive queries causing denial of service. Given the healthcare context, such breaches could lead to reputational damage, regulatory fines, and harm to patient safety. Although no widespread exploitation is currently reported, the presence of public exploit code increases the likelihood of targeted attacks, especially against smaller hospitals or clinics with limited cybersecurity resources.

1. Immediate mitigation should include restricting access to the /admin/betweendates-detailsreports.php endpoint to trusted administrators only, ideally behind VPN or strong network access controls. 2. Implement input validation and parameterized queries (prepared statements) for all database interactions, especially for 'fromdate' and 'todate' fields, to prevent injection. 3. Conduct a thorough code review of the entire OHMS application to identify and remediate other potential injection points. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting these parameters. 5. Monitor logs for unusual query patterns or repeated failed attempts indicative of SQLi exploitation. 6. If possible, upgrade to a patched version or apply vendor-provided fixes once available. 7. Educate administrators about the risks of exposing admin interfaces publicly and enforce strong authentication and session management. 8. Regularly back up databases and test restoration procedures to mitigate impact of potential data corruption or deletion.