CVE-2024-10291 Overview
CVE-2024-10291 is a SQL injection vulnerability in ZZCMS 2023, a Chinese content management system. The flaw resides in the Ebak_DoExecSQL and Ebak_DotranExecutSQL functions within 3/Ebak5.1/upload/phome.php. Attackers can manipulate the phome argument to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely over the network and requires low-level privileges. Public disclosure of exploitation details means defenders should expect opportunistic scanning against exposed ZZCMS deployments. The issue is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can inject SQL through the phome parameter in phome.php, compromising confidentiality, integrity, and availability of the backing database.
Affected Products
- ZZCMS 2023
- Component: 3/Ebak5.1/upload/phome.php
- Functions: Ebak_DoExecSQL, Ebak_DotranExecutSQL
Discovery Timeline
- 2024-10-23 - CVE-2024-10291 published to NVD
- 2024-10-30 - Last updated in NVD database
Technical Details for CVE-2024-10291
Vulnerability Analysis
The vulnerability is a classic SQL injection in the ZZCMS backup module shipped under Ebak5.1. The phome.php endpoint dispatches user-controlled input from the phome request parameter into the Ebak_DoExecSQL and Ebak_DotranExecutSQL helper functions. These functions concatenate the attacker-supplied value directly into SQL statements without parameterization or adequate sanitization.
Because the injection point sits inside execution helpers rather than at a single query site, multiple downstream code paths inherit the unsafe input handling. Attackers leveraging this issue can read arbitrary database tables, modify records, or trigger error-based and time-based extraction techniques. The exploit has been disclosed publicly, lowering the barrier for attackers to weaponize the issue.
Root Cause
The root cause is the absence of prepared statements and input validation around the phome parameter. User input flows from the HTTP request into SQL execution helpers without type coercion, allow-listing, or use of parameter binding. The CWE-89 classification reflects the failure to neutralize special characters before passing them to the SQL interpreter.
Attack Vector
Exploitation requires network access to the ZZCMS application and low-privileged authentication. An attacker crafts an HTTP request to phome.php with a malicious value in the phome parameter, embedding SQL syntax such as UNION SELECT, boolean conditions, or stacked queries depending on the underlying database. No user interaction is required, and the attack can be automated against internet-exposed ZZCMS hosts.
No verified proof-of-concept code is reproduced here. Refer to the GitHub Issue Discussion and VulDB #281560 Details for technical artifacts published by third parties.
Detection Methods for CVE-2024-10291
Indicators of Compromise
- HTTP requests to /3/Ebak5.1/upload/phome.php containing SQL metacharacters such as single quotes, UNION, SLEEP(, or comment sequences -- and # in the phome parameter.
- Web server access logs showing repeated requests with varying phome payload lengths, consistent with automated SQLi tooling like sqlmap.
- Unexpected database errors logged by the application referencing Ebak_DoExecSQL or Ebak_DotranExecutSQL.
Detection Strategies
- Deploy web application firewall signatures that inspect the phome query parameter for SQL syntax tokens and block anomalous payloads.
- Enable database query logging and alert on syntactically unusual statements originating from the ZZCMS application user.
- Correlate authentication events with subsequent requests to phome.php to identify low-privileged accounts probing the endpoint.
Monitoring Recommendations
- Baseline normal traffic volume to phome.php and alert on sudden spikes or bursts from a single source IP.
- Monitor outbound database connections for large result sets that could indicate data exfiltration via UNION-based extraction.
- Track failed login attempts followed by successful authentication, since the attack requires low-privilege credentials.
How to Mitigate CVE-2024-10291
Immediate Actions Required
- Restrict network access to the ZZCMS administrative and backup interfaces, including Ebak5.1/upload/phome.php, to trusted IP ranges only.
- Audit all ZZCMS user accounts and disable or rotate credentials that are not strictly required.
- Review web and database logs for prior exploitation attempts against phome.php.
Patch Information
No official vendor advisory or patch is referenced in the published CVE data. Operators should monitor the ZZCMS 2023 GitHub repository for upstream fixes and apply them as soon as available. Until a fix is released, treat the Ebak5.1 backup module as untrusted.
Workarounds
- Remove or rename the 3/Ebak5.1/upload/ directory if the backup functionality is not required in production.
- Place the application behind a web application firewall with SQL injection rules tuned to inspect the phome parameter.
- Enforce least privilege on the database account used by ZZCMS so that injection cannot reach sensitive tables or execute administrative statements.
# Example web server rule to block access to the vulnerable endpoint
# nginx configuration snippet
location ~* /Ebak5\.1/upload/phome\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
