CVE-2024-10170 Overview
CVE-2024-10170 is a SQL injection vulnerability in code-projects Hospital Management System 1.0. The flaw exists in the get_doctor.php file, where the specilizationid parameter is passed directly to a database query without proper sanitization. Attackers can manipulate this parameter to inject arbitrary SQL statements. The vulnerability is exploitable remotely over the network and requires only low-privilege authentication. Public disclosure of the exploit details has occurred, increasing the risk of opportunistic attacks against deployments of this PHP-based hospital management application.
Critical Impact
Authenticated remote attackers can inject SQL queries through the specilizationid parameter in get_doctor.php, leading to unauthorized access to patient records, doctor information, and other sensitive medical data stored in the application database.
Affected Products
- Fabian Hospital Management System 1.0
- code-projects Hospital Management System (PHP-based distribution)
- Deployments using the vulnerable get_doctor.php endpoint
Discovery Timeline
- 2024-10-20 - CVE-2024-10170 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2024-10170
Vulnerability Analysis
The vulnerability is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The get_doctor.php script accepts a specilizationid parameter via HTTP request and concatenates it into a SQL query without parameterization or input validation. This allows an attacker to break out of the intended query context and execute arbitrary SQL statements against the backend database.
Exploitation requires network access to the web application and a low-privilege authenticated session. No user interaction is needed. Successful exploitation can disclose, modify, or delete records in the underlying database, which typically contains patient health information, doctor profiles, appointments, and billing data.
Root Cause
The root cause is the absence of prepared statements or parameterized queries in the PHP code handling the specilizationid argument. The application directly embeds user-supplied input into the SQL string passed to the database driver. Input is neither type-cast to an integer nor escaped through a database-aware sanitization routine.
Attack Vector
An attacker sends a crafted HTTP request to the get_doctor.php endpoint with a malicious payload in the specilizationid parameter. Typical payloads include UNION-based injections to extract data from adjacent tables and boolean-based blind injections to enumerate schema information. Because the exploit has been disclosed publicly through the referenced VulDB and GitHub issue, automated scanners are likely to incorporate detection signatures for this endpoint.
For technical reproduction details, see the GitHub CVE Issue #1 and VulDB entry #280955.
Detection Methods for CVE-2024-10170
Indicators of Compromise
- HTTP requests targeting /get_doctor.php containing SQL meta-characters such as ', --, UNION, SELECT, or SLEEP( in the specilizationid parameter.
- Unusual outbound responses from get_doctor.php returning large result sets or database error messages.
- Web server access logs showing repeated requests to get_doctor.php from a single source with varying payload lengths.
- Database query logs containing UNION SELECT statements originating from the Hospital Management System service account.
Detection Strategies
- Deploy web application firewall (WAF) rules that flag SQL injection patterns in parameters submitted to PHP endpoints under the Hospital Management System path.
- Enable database query logging and alert on dynamically constructed queries referencing the specilizationid value with concatenated operators.
- Correlate HTTP 500 responses from get_doctor.php with subsequent successful 200 responses containing abnormal payload sizes.
Monitoring Recommendations
- Forward web server and database logs to a centralized analytics platform for SQL injection pattern matching.
- Baseline normal query volume to get_doctor.php and alert on deviations exceeding standard thresholds.
- Monitor for new user accounts, role changes, or bulk data exports from the application database following suspicious requests.
How to Mitigate CVE-2024-10170
Immediate Actions Required
- Restrict network access to the Hospital Management System to trusted internal networks or VPN users until a patch is applied.
- Audit web server logs for prior exploitation attempts against get_doctor.php and review database integrity for unauthorized changes.
- Rotate database credentials used by the application if injection activity is identified.
Patch Information
No official vendor patch is listed in the NVD references for CVE-2024-10170. The code-projects distribution does not publish a coordinated security advisory. Administrators should review the upstream code at Code Projects and apply manual source-level fixes by replacing dynamic SQL concatenation in get_doctor.php with prepared statements using PDO or MySQLi parameter binding.
Workarounds
- Modify get_doctor.php to cast specilizationid to an integer with intval() before use in any SQL query.
- Implement a WAF rule blocking common SQL injection signatures targeting the specilizationid parameter.
- Place the application behind an authenticating reverse proxy to limit anonymous network reachability.
- Consider migrating to a vendor-supported hospital management platform if production use is required.
# Example WAF rule (ModSecurity) blocking SQLi patterns on the vulnerable endpoint
SecRule REQUEST_URI "@contains /get_doctor.php" \
"chain,deny,status:403,id:1010170,msg:'CVE-2024-10170 SQLi attempt'"
SecRule ARGS:specilizationid "@detectSQLi" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
