CVE-2024-10349 Overview
CVE-2024-10349 is a SQL injection vulnerability in SourceCodester Best House Rental Management System 1.0. The flaw resides in the delete_tenant function within /ajax.php?action=delete_tenant. Attackers can manipulate the id parameter to inject arbitrary SQL statements against the backend database. The vulnerability requires low privileges and can be exploited remotely over the network without user interaction. Public disclosure of the exploit increases the likelihood of opportunistic abuse against exposed deployments.
Critical Impact
Authenticated remote attackers can inject SQL commands through the id parameter of the delete_tenant endpoint, exposing tenant records and database contents to unauthorized read, modification, or deletion.
Affected Products
- SourceCodester Best House Rental Management System 1.0
- Mayurik Best House Rental Management System (vendor distribution)
- /ajax.php?action=delete_tenant endpoint (delete_tenant function)
Discovery Timeline
- 2024-10-24 - CVE-2024-10349 published to the National Vulnerability Database (NVD)
- 2024-10-30 - Last updated in NVD database
Technical Details for CVE-2024-10349
Vulnerability Analysis
The vulnerability is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The delete_tenant handler in /ajax.php receives an id parameter from client requests and concatenates it directly into a SQL DELETE statement. Because the input is neither parameterized nor validated, attackers can break out of the intended query context and append arbitrary SQL syntax.
Exploitation allows unauthorized data retrieval through UNION-based or error-based techniques, modification of tenant records, and destructive operations against adjacent tables. The endpoint is reachable over the network, and exploitation requires only a low-privileged authenticated session within the application.
Root Cause
The root cause is the absence of prepared statements or input sanitization in the delete_tenant function. The application trusts the id value as if it were a clean integer and passes it directly into the SQL query string. This pattern is common across legacy PHP applications that build queries via string concatenation rather than parameter binding through PDO or mysqli_prepare.
Attack Vector
An attacker authenticated to the rental management application sends a crafted HTTP request to /ajax.php?action=delete_tenant with a malicious payload in the id parameter. The injected SQL executes with the privileges of the database account used by the web application. The vulnerability mechanism is documented in the public GitHub CVE Project Documentation and tracked in VulDB #281696.
No verified proof-of-concept code is included here. Refer to the external advisories for technical request examples.
Detection Methods for CVE-2024-10349
Indicators of Compromise
- HTTP requests to /ajax.php?action=delete_tenant containing SQL meta-characters such as single quotes, UNION, SELECT, SLEEP, or comment sequences (--, #) in the id parameter.
- Unexpected DELETE or SELECT statements in MySQL query logs referencing the tenant table outside normal administrative workflows.
- Web server access logs showing repeated requests to the delete_tenant action from a single source with varying id values.
Detection Strategies
- Deploy web application firewall (WAF) signatures that inspect query strings on /ajax.php for SQL injection patterns targeting the id parameter.
- Enable MySQL general query logging or audit plugins to flag queries against the tenant table that contain boolean tautologies or stacked statements.
- Correlate authentication events with anomalous request volumes to the delete_tenant endpoint to surface low-privileged accounts probing the parameter.
Monitoring Recommendations
- Forward web server, PHP, and database logs to a centralized analytics platform and alert on SQL error responses returned from /ajax.php.
- Baseline normal delete_tenant request frequency per user role and alert on deviations.
- Monitor outbound database traffic for unusual data volumes that may indicate exfiltration via UNION-based injection.
How to Mitigate CVE-2024-10349
Immediate Actions Required
- Restrict network access to the Best House Rental Management System administrative interfaces to trusted IP ranges or VPN users.
- Rotate database credentials and review the application database account to ensure it has the least privilege required for runtime operations.
- Audit tenant and related tables for unauthorized modifications or deletions since the application was first exposed.
Patch Information
No vendor patch is referenced in the NVD entry or in VulDB #281696 at the time of publication. Operators running SourceCodester Best House Rental Management System 1.0 should treat the deployment as unpatched and apply compensating controls. Track the SourceCodester Security Resources page for vendor updates.
Workarounds
- Modify the delete_tenant function in /ajax.php to use parameterized queries with mysqli_prepare or PDO bound parameters instead of string concatenation.
- Cast the id parameter to an integer with intval($_POST['id']) before using it in any SQL statement as an interim hardening measure.
- Place the application behind a WAF configured with OWASP Core Rule Set SQL injection rules and block requests containing SQL meta-characters in the id parameter.
- Disable or remove the delete_tenant endpoint until code-level remediation is verified.
# Configuration example: nginx rule to block obvious SQLi patterns on the vulnerable endpoint
location = /ajax.php {
if ($arg_action = "delete_tenant") {
if ($args ~* "(union|select|sleep|--|#|';)") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
