CVE-2024-10196 Overview
CVE-2024-10196 is a SQL injection vulnerability in code-projects Pharmacy Management System 1.0. The flaw resides in the /add_new_invoice.php script, where the text parameter is passed directly into a SQL query without sanitization. Remote attackers can manipulate this parameter to inject arbitrary SQL statements against the backing database. The issue is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Public disclosure of the exploit technique increases the likelihood of opportunistic attacks against unpatched deployments.
Critical Impact
Authenticated remote attackers can inject SQL through the text parameter in /add_new_invoice.php, leading to unauthorized read and write access to pharmacy records, invoices, and patient data.
Affected Products
- code-projects Pharmacy Management System 1.0
- CPE: cpe:2.3:a:code-projects:pharmacy_management_system:1.0:*:*:*:*:*:*:*
- Vulnerable component: /add_new_invoice.php
Discovery Timeline
- 2024-10-21 - CVE-2024-10196 published to NVD
- 2024-10-23 - Last updated in NVD database
Technical Details for CVE-2024-10196
Vulnerability Analysis
The vulnerability exists in the invoice creation workflow of Pharmacy Management System 1.0. When a user submits data to /add_new_invoice.php, the application concatenates the text argument directly into a SQL statement. The application performs no input validation, parameterization, or escaping before executing the query.
An attacker with low privileges can submit crafted input containing SQL metacharacters. The injected payload alters the structure of the original query and executes attacker-controlled SQL against the underlying database. Public proof-of-concept material has been disclosed through a GitHub Gist and VulDB entry #281021.
Root Cause
The root cause is improper neutralization of special elements in an SQL command [CWE-89]. The text parameter received by /add_new_invoice.php is interpolated into a dynamic SQL string rather than bound as a parameter. PHP code that constructs queries through string concatenation with raw $_POST or $_GET values exposes the database to direct manipulation.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker authenticates with a low-privilege account, then sends a POST request to /add_new_invoice.php containing a malicious text value. Typical payloads include boolean-based and UNION-based SQL injection patterns to extract data, modify records, or enumerate the schema. No user interaction is required beyond the attacker's own request.
The vulnerability mechanism is documented in the public exploit reference. See the GitHub Gist exploit notes and VulDB incident record for the request structure and payload format.
Detection Methods for CVE-2024-10196
Indicators of Compromise
- HTTP POST requests to /add_new_invoice.php containing SQL metacharacters such as ', --, UNION SELECT, or OR 1=1 in the text parameter.
- Unexpected database errors or 500 responses returned from /add_new_invoice.php in web server logs.
- New, modified, or deleted rows in the invoices table or related pharmacy tables without a corresponding legitimate user action.
- Outbound database queries originating from the web application process that reference information_schema or system tables.
Detection Strategies
- Inspect web server access logs for requests to /add_new_invoice.php with encoded SQL keywords (%27, %20OR%20, %20UNION%20).
- Deploy a Web Application Firewall (WAF) signature that flags SQL injection patterns targeting the text parameter.
- Enable database query logging and alert on parsed queries containing unusual UNION clauses or stacked statements originating from the invoice endpoint.
- Correlate authentication events with subsequent injection attempts to identify compromised or attacker-created low-privilege accounts.
Monitoring Recommendations
- Forward web server, PHP error, and MySQL/MariaDB query logs to a centralized logging platform for retention and correlation.
- Alert on spikes in 4xx and 5xx responses from /add_new_invoice.php that may indicate exploitation attempts or fuzzing.
- Track database account activity from the web application's service account for anomalous SELECT volumes against sensitive tables.
How to Mitigate CVE-2024-10196
Immediate Actions Required
- Restrict network access to the Pharmacy Management System to trusted internal users until a fix is applied.
- Place the application behind a WAF and enable SQL injection rule sets that inspect POST bodies submitted to /add_new_invoice.php.
- Audit all user accounts and revoke unused or low-privilege accounts that could be leveraged to reach the vulnerable endpoint.
- Review database logs and invoice records for evidence of tampering since the disclosure date.
Patch Information
No official vendor patch is listed in the references for code-projects Pharmacy Management System 1.0. Administrators should monitor the code-projects website for updates and apply source-level fixes in the interim by replacing concatenated SQL in /add_new_invoice.php with parameterized queries using PDO prepared statements or mysqli_prepare.
Workarounds
- Modify /add_new_invoice.php to use prepared statements with bound parameters for the text argument and all other user-supplied input.
- Apply server-side input validation that rejects SQL metacharacters in fields where they are not required.
- Configure the database account used by the web application with least-privilege permissions, limiting it to the specific tables and operations required for invoice creation.
- Disable the invoice creation feature in production until the code is remediated if the function is not business-critical.
# Example Apache mod_security rule to block SQLi patterns on the vulnerable endpoint
SecRule REQUEST_URI "@streq /add_new_invoice.php" \
"id:1010196,phase:2,deny,status:403,\
chain,msg:'CVE-2024-10196 SQLi attempt on text parameter'"
SecRule ARGS:text "@rx (?i)(union\s+select|or\s+1=1|--|;|/\*)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
