CVE-2024-10153 Overview
CVE-2024-10153 is a SQL injection vulnerability in PHPGurukul Boat Booking System 1.0. The flaw resides in the book-boat.php?bid=1 endpoint within the Book a Boat Page component. Attackers can manipulate the bookingdatefrom and nopeople parameters to inject arbitrary SQL statements. The vulnerability is exploitable remotely and requires only low-privileged authenticated access. A public proof-of-concept has been disclosed, increasing the likelihood of opportunistic exploitation. Other parameters in the same endpoint may also be vulnerable. The issue is categorized under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Remote attackers can extract, modify, or delete database contents in the Boat Booking System through injected SQL queries against the booking endpoint.
Affected Products
- PHPGurukul Boat Booking System 1.0
- Component: Book a Boat Page (book-boat.php)
- Vulnerable parameters: bookingdatefrom, nopeople
Discovery Timeline
- 2024-10-19 - CVE-2024-10153 published to NVD
- 2025-03-16 - Last updated in NVD database
Technical Details for CVE-2024-10153
Vulnerability Analysis
The vulnerability stems from unsanitized user input being concatenated directly into SQL queries. The book-boat.php script accepts the bid parameter to identify a boat and accepts booking parameters including bookingdatefrom and nopeople. The application passes these parameters to the database without using parameterized queries or input validation. An attacker can submit crafted values containing SQL metacharacters to alter the structure of the original query.
Because the endpoint is reachable over the network and only requires low-level privileges, exploitation does not require advanced access to the host. The public proof-of-concept demonstrates extraction of database contents using standard union-based and boolean-based SQL injection techniques.
Root Cause
The root cause is improper neutralization of special elements in user-supplied input passed to the database query interface. The application concatenates request parameters into SQL statements rather than binding them as typed parameters. This pattern is common in legacy PHP applications that rely on the mysqli or mysql_* functions without prepared statements.
Attack Vector
An attacker submits a crafted HTTP request to book-boat.php?bid=1 with malicious payloads in the bookingdatefrom or nopeople POST parameters. Successful injection allows the attacker to read arbitrary tables, including user credentials, modify booking records, or escalate impact through stacked queries depending on database privileges. Verified technical details are available in the GitHub Proof-of-Concept and VulDB entry 280939.
Detection Methods for CVE-2024-10153
Indicators of Compromise
- HTTP POST requests to book-boat.php?bid=1 containing SQL metacharacters such as single quotes, UNION SELECT, SLEEP(, or comment sequences (--, #) in the bookingdatefrom or nopeople parameters.
- Web server access logs showing unusually long parameter values or repeated requests with incremental payload variations indicating automated SQLi tooling.
- Database error messages referencing syntax errors near booking-related queries appearing in application or PHP error logs.
- Outbound database queries returning unexpectedly large result sets from tables unrelated to boat bookings.
Detection Strategies
- Deploy web application firewall rules that inspect request bodies for known SQL injection patterns targeting the book-boat.php endpoint.
- Enable database query logging and alert on UNION, INFORMATION_SCHEMA, or SLEEP keywords originating from the booking application user.
- Use static analysis on the PHP source to identify query construction that concatenates $_POST or $_GET values without prepared statements.
Monitoring Recommendations
- Forward web server and PHP error logs to a centralized logging platform and create detections for SQL syntax errors tied to the booking workflow.
- Monitor for spikes in response time on book-boat.php requests, which can indicate time-based blind SQL injection attempts.
- Track authentication events preceding suspicious requests since the vulnerability requires a low-privileged session.
How to Mitigate CVE-2024-10153
Immediate Actions Required
- Restrict network access to the Boat Booking System by placing it behind a VPN or IP allowlist until a fix is verified.
- Deploy WAF rules that block SQL injection payloads on all parameters of book-boat.php, not only bookingdatefrom and nopeople.
- Audit existing booking and user tables for signs of unauthorized modification or data extraction.
- Rotate credentials stored in the application database, including administrator accounts, if exposure is suspected.
Patch Information
No official vendor patch has been published in the referenced advisories. Operators should monitor the PHPGurukul site for updates. In the absence of a vendor fix, modify the affected source code to use prepared statements with parameter binding via mysqli::prepare() or PDO, and apply server-side input validation on date and numeric fields.
Workarounds
- Replace direct query construction in book-boat.php with parameterized queries using PDO or mysqli prepared statements.
- Enforce strict server-side type validation: cast nopeople to an integer and validate bookingdatefrom against a date format before use.
- Apply the principle of least privilege to the database account used by the application, removing rights to system tables and write access where unnecessary.
- Disable verbose database error reporting in the production PHP configuration to reduce information leakage to attackers.
# Example php.ini hardening to suppress error disclosure
display_errors = Off
log_errors = On
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
