CVE-2024-10163 Overview
CVE-2024-10163 is a SQL injection vulnerability in SourceCodester Sentiment Based Movie Rating System 1.0. The flaw resides in the /msrps/movie_details.php script, where the id parameter is passed directly into a SQL query without proper sanitization. An authenticated remote attacker can manipulate the id argument to inject arbitrary SQL statements against the backend database. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic exploitation against exposed instances. The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Successful exploitation allows remote attackers to read, modify, or extract data from the application database through crafted requests to movie_details.php.
Affected Products
- SourceCodester Sentiment Based Movie Rating System 1.0
- Vendor: oretnom23
- Vulnerable component: /msrps/movie_details.php (id parameter)
Discovery Timeline
- 2024-10-20 - CVE-2024-10163 published to NVD
- 2024-10-22 - Last updated in NVD database
Technical Details for CVE-2024-10163
Vulnerability Analysis
The vulnerability is a classic SQL injection in the movie details endpoint of the Sentiment Based Movie Rating System. The movie_details.php script accepts an id parameter via HTTP request and incorporates the value into a SQL query without parameterization or input validation. Attackers can supply crafted payloads such as UNION-based or boolean-based injection strings to manipulate query logic. The attack is reachable over the network and requires only low-level privileges within the application context.
Root Cause
The root cause is improper neutralization of user-supplied input before it is concatenated into a SQL statement. The application uses dynamic query construction rather than prepared statements or parameterized queries. Any value passed through the id request parameter is interpreted by the database engine, allowing an attacker to break out of the intended query structure.
Attack Vector
An attacker sends an HTTP request to /msrps/movie_details.php with a malicious id value. Because the parameter is consumed directly by the SQL query, payloads can be used to extract data using UNION SELECT statements, enumerate database schemas, or bypass authentication-related checks. Exploitation does not require user interaction, and the attack can be automated against exposed deployments.
For technical proof-of-concept details, see the GitHub PoC Repository and the VulDB entry #280950.
Detection Methods for CVE-2024-10163
Indicators of Compromise
- HTTP requests to /msrps/movie_details.php containing SQL metacharacters such as ', ", --, UNION, SELECT, or SLEEP( in the id parameter.
- Unusually long or URL-encoded id parameter values in web server access logs.
- Database error messages returned in HTTP responses originating from movie_details.php.
- Outbound database queries against information_schema or system tables initiated by the web application user.
Detection Strategies
- Inspect web server access logs for anomalous request patterns targeting movie_details.php, especially repetitive probes with varying id payloads.
- Deploy Web Application Firewall (WAF) signatures for SQL injection patterns matching CWE-89.
- Enable database query logging and alert on queries originating from the application that reference metadata tables or use stacked statements.
- Correlate failed query errors with the source IP to identify automated injection tooling.
Monitoring Recommendations
- Monitor for sudden spikes in HTTP 500 responses from movie_details.php, which often indicate injection probing.
- Track outbound data volumes from the database host to identify potential bulk exfiltration.
- Alert on access to sensitive tables (users, credentials) from the web application service account.
How to Mitigate CVE-2024-10163
Immediate Actions Required
- Restrict public access to the Sentiment Based Movie Rating System pending a vendor fix, using network ACLs or reverse proxy authentication.
- Deploy a WAF rule blocking SQL metacharacters and UNION-based payloads against /msrps/movie_details.php.
- Rotate any database credentials and review database logs for evidence of prior exploitation.
- Limit the database account used by the application to least-privilege read access where possible.
Patch Information
No official vendor patch is currently listed in the NVD record for CVE-2024-10163. Administrators should monitor SourceCodester for an updated release and apply source-code fixes manually by replacing dynamic SQL concatenation in movie_details.php with parameterized queries using PHP Data Objects (PDO) or mysqli prepared statements.
Workarounds
- Modify movie_details.php to validate that the id parameter is a numeric integer before use, for example via intval() or filter_var($id, FILTER_VALIDATE_INT).
- Implement prepared statements with bound parameters to eliminate dynamic SQL construction.
- Place the application behind an authenticating reverse proxy if it is not intended for public exposure.
- Disable verbose database error reporting in production to reduce information leakage to attackers.
# Example WAF rule (ModSecurity) blocking SQLi against movie_details.php
SecRule REQUEST_URI "@contains /msrps/movie_details.php" \
"id:1010163,phase:2,deny,status:403,\
chain,msg:'CVE-2024-10163 SQLi attempt'"
SecRule ARGS:id "@detectSQLi" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
