CVE-2024-0389: Student Attendance System SQLi Vulnerability

CVE-2024-0389 Overview

A critical SQL injection vulnerability has been identified in SourceCodester Student Attendance System version 1.0. The vulnerability exists in the attendance_report.php file, where the class_id parameter is not properly sanitized before being used in SQL queries. This flaw allows remote attackers to inject malicious SQL commands, potentially leading to unauthorized data access, data manipulation, or complete database compromise.

Critical Impact

Unauthenticated remote attackers can exploit this SQL injection vulnerability to extract sensitive student and attendance data, modify database records, or potentially gain further access to the underlying system.

Affected Products

• SourceCodester Student Attendance System 1.0
• student_attendance_system_project student_attendance_system

Discovery Timeline

• 2024-01-10 - CVE-2024-0389 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-0389

Vulnerability Analysis

This SQL injection vulnerability occurs in the attendance_report.php file of the Student Attendance System application. The class_id parameter is directly incorporated into SQL queries without proper input validation or parameterized query implementation. This classic injection flaw allows attackers to manipulate database queries by inserting specially crafted SQL statements through the vulnerable parameter.

The vulnerability is particularly dangerous because it requires no authentication to exploit and can be triggered remotely over the network. Successful exploitation could result in complete compromise of database confidentiality, integrity, and availability. Attackers could extract sensitive student records, modify attendance data, or even execute administrative database operations depending on the database user privileges.

Root Cause

The root cause of this vulnerability is the failure to implement proper input sanitization and parameterized queries (prepared statements) when handling the class_id parameter in attendance_report.php. The application directly concatenates user-supplied input into SQL query strings, creating a classic SQL injection attack surface. This violates secure coding practices that mandate treating all user input as potentially malicious and using parameterized queries to separate SQL code from data.

Attack Vector

The attack vector is network-based, allowing remote exploitation without authentication. An attacker can craft malicious HTTP requests to the attendance_report.php endpoint with a specially crafted class_id parameter containing SQL injection payloads. The vulnerability requires no user interaction and can be exploited with low complexity, making it an attractive target for automated scanning tools and opportunistic attackers.

The attacker manipulates the class_id parameter by appending SQL syntax such as single quotes, UNION statements, or boolean-based payloads to extract data or modify query behavior. The exploit has been publicly disclosed, increasing the risk of widespread exploitation attempts against unpatched systems.

Detection Methods for CVE-2024-0389

Indicators of Compromise

• Unusual SQL error messages in application logs referencing attendance_report.php
• Web server access logs showing requests to attendance_report.php with suspicious class_id parameter values containing SQL keywords (UNION, SELECT, OR, AND, etc.)
• Database query logs showing malformed or unexpected queries originating from the attendance reporting functionality
• Evidence of data exfiltration or unauthorized database access patterns

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block SQL injection patterns in the class_id parameter
• Deploy intrusion detection systems (IDS) with signatures for common SQL injection attack patterns
• Monitor application logs for SQL syntax errors and exception messages that may indicate injection attempts
• Utilize database activity monitoring (DAM) solutions to detect anomalous query patterns

Monitoring Recommendations

• Enable verbose logging for the web application server to capture all requests to attendance_report.php
• Configure database audit logging to track all queries executed against the attendance-related tables
• Set up automated alerting for patterns matching SQL injection attempts in web traffic
• Regularly review access logs for reconnaissance activity targeting the vulnerable endpoint

How to Mitigate CVE-2024-0389

Immediate Actions Required

• Immediately restrict or disable access to the attendance_report.php file until a patch can be applied
• Implement input validation on the class_id parameter to accept only numeric values
• Deploy web application firewall rules to block SQL injection attempts targeting this endpoint
• Review database logs for any evidence of prior exploitation and assess potential data compromise

Patch Information

No official vendor patch has been identified in the available vulnerability data. Organizations using SourceCodester Student Attendance System 1.0 should contact the vendor for remediation guidance or consider implementing the source code modifications described in the workarounds section. For additional technical details, refer to the VulDB advisory for this vulnerability.

Workarounds

• Implement parameterized queries (prepared statements) in the attendance_report.php file to properly handle the class_id parameter
• Add strict input validation to ensure class_id only accepts integer values using functions like intval() or filter_var() with FILTER_VALIDATE_INT
• Apply the principle of least privilege to the database user account used by the application
• Consider deploying a reverse proxy or WAF in front of the application to filter malicious requests

# Example: Restrict access to vulnerable endpoint via Apache .htaccess
# Add to .htaccess in the web application directory
<Files "attendance_report.php">
    Order Deny,Allow
    Deny from all
    # Allow only from trusted IP addresses if needed
    # Allow from 192.168.1.0/24
</Files>