CVE-2024-10421: Attendance & Payroll System SQLi Flaw

CVE-2024-10421 Overview

CVE-2024-10421 is a SQL injection vulnerability in SourceCodester Attendance and Payroll System 1.0, developed by nurhodelta17. The flaw resides in the /admin/overtime_row.php file, where the id parameter is passed into a database query without proper sanitization. Remote attackers with low-privilege authenticated access can manipulate the parameter to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the risk of opportunistic abuse against exposed installations. The vulnerability is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.

Critical Impact

Authenticated remote attackers can extract, modify, or destroy data in the application database by injecting SQL through the id parameter of /admin/overtime_row.php.

Affected Products

• nurhodelta17 Attendance and Payroll System 1.0
• SourceCodester-distributed builds of Attendance and Payroll System 1.0
• Deployments using the vulnerable /admin/overtime_row.php endpoint

Discovery Timeline

• 2024-10-27 - CVE-2024-10421 published to the National Vulnerability Database (NVD)
• 2024-10-29 - Last updated in NVD database

Technical Details for CVE-2024-10421

Vulnerability Analysis

The vulnerability exists in the administrative endpoint /admin/overtime_row.php of the Attendance and Payroll System. The endpoint accepts an id parameter from the HTTP request and concatenates it directly into a SQL query. Because the input lacks parameterization or escaping, an authenticated attacker can append SQL syntax to alter the original query intent. The application processes the manipulated query against the backend database with the application's privileges. Successful exploitation exposes payroll, attendance, and administrative records to unauthorized read or write operations.

Root Cause

The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The script passes attacker-controlled input from the id argument into a SQL statement without using prepared statements or input validation. PHP applications that build queries through string concatenation are particularly susceptible to this pattern. The vulnerable code path does not enforce type casting on the id value, which should be a numeric identifier.

Attack Vector

The attack is initiated remotely over the network against the admin interface. An attacker requires low-privilege authenticated access to reach /admin/overtime_row.php. By supplying crafted SQL syntax in the id parameter, the attacker forces the database to execute injected statements. Public disclosure of the exploit details lowers the barrier to entry. No user interaction is required beyond submitting the malicious request.

The exploitation pattern follows classic union-based or boolean-based SQL injection against the id parameter. Refer to the GitHub vulnerability documentation and VulDB entry #281962 for technical proof-of-concept details.

Detection Methods for CVE-2024-10421

Indicators of Compromise

• HTTP requests to /admin/overtime_row.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the id parameter
• Web server access logs showing unusually long or URL-encoded id query string values
• Database error messages referencing overtime_row.php in application logs
• Unexpected outbound database queries originating from the PHP application process

Detection Strategies

• Deploy web application firewall (WAF) rules to inspect query string parameters on /admin/overtime_row.php for SQL injection patterns
• Enable database query logging and alert on anomalous statements targeting the overtime table
• Correlate authenticated admin session activity with parameter tampering attempts in SIEM platforms
• Run authenticated dynamic application security testing (DAST) scans against admin endpoints to surface injectable parameters

Monitoring Recommendations

• Forward web server and PHP error logs to a centralized log platform for parameter-level analytics
• Monitor administrative account logins for unusual source IP addresses or off-hours access
• Alert on spikes in 500-series HTTP response codes from /admin/ paths, which often indicate injection probing
• Track database user activity for SELECT INTO OUTFILE, schema enumeration queries, or bulk data exports

How to Mitigate CVE-2024-10421

Immediate Actions Required

• Restrict network access to the /admin/ directory to trusted IP ranges using web server access controls
• Rotate credentials for all administrator accounts that may have been exposed prior to remediation
• Audit the overtime, attendance, and user tables for unauthorized modifications
• Deploy a WAF rule that blocks SQL injection signatures targeting the id parameter on /admin/overtime_row.php

Patch Information

No official vendor patch has been published at the time of writing. The vendor nurhodelta17 distributes Attendance and Payroll System 1.0 through SourceCodester. Operators should review the source code in /admin/overtime_row.php, replace string-concatenated queries with prepared statements using PDO or MySQLi parameter binding, and enforce integer casting on the id argument before any database interaction.

Workarounds

• Replace direct SQL string concatenation in overtime_row.php with parameterized queries using PDO prepare() and bindParam()
• Apply server-side input validation that rejects non-numeric values for the id parameter before query execution
• Disable or remove the vulnerable endpoint if overtime row functionality is not in active use
• Run the database service under a least-privilege account that cannot execute FILE or DDL operations

# Example WAF rule (ModSecurity) to block SQL injection on the vulnerable endpoint
SecRule REQUEST_URI "@beginsWith /admin/overtime_row.php" \
    "chain,deny,status:403,id:1004210,msg:'CVE-2024-10421 SQLi attempt'"
    SecRule ARGS:id "@detectSQLi" "t:none,t:urlDecodeUni"