A recent dark web post has drawn attention to a significant security concern involving the Civil Aviation Authority of Papua New Guinea. A threat actor known as Lei shared details of an SQL Injection (SQLi) vulnerability discovered on the agency’s public website. The vulnerability involves a live URL parameter that fails to sanitize user input, thereby exposing the site to potential exploitation.
The post, made on a dark web forum, indicates that standard union-based SQL injection payloads are blocked by the Sucuri web application firewall, but the underlying lack of input sanitization remains a serious risk. Lei claims that advanced payloads, such as time-based or obfuscated injections, might bypass these filters with the use of custom tampering techniques or WAF-aware tools.
Lei included a link to the vulnerable parameter, inviting other malicious actors to test the exploit themselves. This level of disclosure poses a significant threat, as it effectively crowdsources the vulnerability to a broader pool of potential attackers.
The post also bears the branding of NullSec Philippines, suggesting possible collaboration or ideological alignment with this hacktivist group.