CVE-2024-10154 Overview
CVE-2024-10154 is a SQL injection vulnerability affecting PHPGurukul Boat Booking System 1.0. The flaw resides in the status.php file, which implements the Check Booking Status Page component. Attackers can manipulate the emailid parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely over the network and requires low-level privileges. Public disclosure of exploit details has occurred, increasing the likelihood of opportunistic attacks against exposed deployments. The weakness is categorized under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Remote attackers can extract, modify, or delete database contents by injecting SQL payloads through the emailid parameter on the booking status page.
Affected Products
- PHPGurukul Boat Booking System 1.0
- Component: Check Booking Status Page (status.php)
- Parameter: emailid
Discovery Timeline
- 2024-10-19 - CVE-2024-10154 published to NVD
- 2024-10-22 - Last updated in NVD database
Technical Details for CVE-2024-10154
Vulnerability Analysis
The vulnerability resides in the booking status lookup workflow of PHPGurukul Boat Booking System 1.0. The status.php script accepts a user-supplied emailid value and concatenates it directly into a SQL query without parameterization or sanitization. An attacker submitting crafted input through this parameter can break out of the original query context and append arbitrary SQL clauses. This enables data extraction from the underlying MySQL database, including booking records, customer details, and administrative credentials stored in associated tables. Because the booking status page is typically exposed to unauthenticated users, the attack surface is broad and reachable from the public internet.
Root Cause
The root cause is improper neutralization of special elements in SQL commands [CWE-89]. The application constructs SQL queries by string concatenation using the unsanitized emailid HTTP parameter. No prepared statements, parameter binding, or input validation routines are applied before the value reaches the database driver. This pattern is common across multiple PHPGurukul applications that share similar code styles.
Attack Vector
The attack vector is network-based and requires no user interaction. An attacker sends a crafted HTTP request to the status.php endpoint with a malicious payload in the emailid parameter. Typical exploitation includes boolean-based blind injection, UNION-based extraction, and time-based blind techniques to enumerate database schemas and exfiltrate records. Public technical documentation for this issue is available in the GitHub CVE Documentation and the VulDB entry.
No verified proof-of-concept code is reproduced here. Refer to the linked references for the disclosed payload structure and request format.
Detection Methods for CVE-2024-10154
Indicators of Compromise
- HTTP requests to /status.php containing SQL meta-characters such as single quotes, UNION SELECT, SLEEP(, or -- in the emailid parameter
- Web server access logs showing repeated status.php requests from the same source IP with varying emailid payloads
- Unexpected MySQL information_schema queries originating from the Boat Booking System database user
- Anomalously long response times on status.php consistent with time-based blind injection probes
Detection Strategies
- Deploy web application firewall (WAF) signatures targeting SQL injection patterns on the emailid parameter
- Enable database query logging and alert on queries referencing information_schema, users, or administrative tables from the booking application context
- Monitor for HTTP 500 errors from status.php that may indicate failed injection attempts
- Correlate web logs with database audit logs to identify suspicious query bursts tied to status page requests
Monitoring Recommendations
- Baseline normal request patterns to status.php and alert on payload length or character-set anomalies
- Track outbound data volumes from the database server to detect bulk extraction
- Forward web and database logs to a centralized analytics platform for cross-source correlation
- Review authentication events for any administrative accounts whose credentials may have been exposed through injection
How to Mitigate CVE-2024-10154
Immediate Actions Required
- Restrict public access to status.php until a vendor patch is applied, using IP allowlists or authentication gates
- Deploy WAF rules that block SQL injection patterns against the emailid parameter
- Audit the database for unauthorized read or write activity originating from the booking application service account
- Rotate database credentials and any administrative passwords that may have been disclosed
Patch Information
At the time of publication, no official patch from PHPGurukul has been listed in the NVD references. Administrators should monitor the PHP Gurukul Homepage for an updated release. As an interim measure, modify the application source to replace concatenated SQL with parameterized queries using mysqli_prepare() or PDO prepared statements, and apply strict input validation on the emailid field.
Workarounds
- Replace direct SQL concatenation in status.php with prepared statements that bind the emailid value as a string parameter
- Apply server-side input validation that rejects any emailid value not matching a strict email format regular expression
- Configure the MySQL account used by the application with the minimum privileges required, removing access to unrelated schemas
- Disable verbose database error reporting in PHP to prevent error-based injection feedback
# Example Apache mod_security rule to block SQL meta-characters on the emailid parameter
SecRule ARGS:emailid "@rx (['\"]|--|\b(UNION|SELECT|SLEEP|BENCHMARK)\b)" \
"id:1010154,phase:2,deny,status:403,msg:'CVE-2024-10154 SQLi attempt on status.php'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
