CVE-2024-10422 Overview
CVE-2024-10422 is a SQL injection vulnerability in SourceCodester Attendance and Payroll System 1.0, developed by nurhodelta17. The flaw resides in the /admin/overtime_add.php script, where the id parameter is passed directly into a SQL query without sanitization. Remote authenticated attackers can manipulate the parameter to alter query logic and access or modify database records. The exploit details have been publicly disclosed, increasing exposure for unpatched deployments. The weakness is tracked under CWE-89, Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated attackers can inject arbitrary SQL through the id parameter in /admin/overtime_add.php, exposing employee, payroll, and attendance records.
Affected Products
- SourceCodester Attendance and Payroll System 1.0
- Vendor: nurhodelta17
- Component: /admin/overtime_add.php
Discovery Timeline
- 2024-10-27 - CVE-2024-10422 published to NVD
- 2024-10-29 - Last updated in NVD database
Technical Details for CVE-2024-10422
Vulnerability Analysis
The vulnerability exists in the overtime management module of the administrative interface. The overtime_add.php script accepts the id parameter from an HTTP request and incorporates it into a SQL statement without parameterization or input validation. An attacker authenticated with low privileges can supply crafted SQL syntax through this parameter to manipulate the underlying query. The application returns results based on the injected payload, allowing data extraction, modification, or authentication context abuse. The exploit can be triggered remotely over the network and has been publicly disclosed.
Root Cause
The root cause is the direct concatenation of user-controlled input into a SQL query string. The application does not use prepared statements, parameterized queries, or input sanitization routines on the id parameter. PHP-based applications that interpolate request variables into MySQL queries without escaping create a direct path for SQL injection, as classified under CWE-89.
Attack Vector
The attack is initiated remotely against the /admin/overtime_add.php endpoint. An attacker requires low-privilege authentication to the admin panel but does not need user interaction beyond that. Attackers can craft a malicious value for the id parameter using standard SQL injection techniques such as UNION-based extraction, boolean-based blind injection, or time-based blind injection to enumerate database contents. Refer to the GitHub PoC Repository for technical reproduction details.
Detection Methods for CVE-2024-10422
Indicators of Compromise
- HTTP requests to /admin/overtime_add.php containing SQL metacharacters such as single quotes, UNION SELECT, SLEEP(, or comment sequences like -- and # in the id parameter
- Web server access logs showing repeated requests to overtime_add.php with varying id values from a single source
- Database error messages logged by PHP referencing MySQL syntax errors originating from the overtime module
- Unusual database query latency consistent with time-based blind SQL injection probes
Detection Strategies
- Deploy web application firewall (WAF) rules to flag SQL injection patterns targeting overtime_add.php
- Enable MySQL general query logging to inspect statements generated from the overtime module
- Correlate authentication events with subsequent suspicious parameter manipulation on admin endpoints
Monitoring Recommendations
- Monitor HTTP request volumes and parameter entropy on the /admin/ path tree for anomalies
- Alert on database errors emitted by overtime_add.php in PHP error logs
- Track outbound data volume from the database host to identify bulk extraction attempts
How to Mitigate CVE-2024-10422
Immediate Actions Required
- Restrict access to the /admin/ directory through network-level controls or IP allowlisting until a fix is applied
- Audit administrative accounts and rotate credentials that may have been exposed through the vulnerable interface
- Review database audit logs for suspicious queries originating from the application service account
- Deploy WAF signatures that block SQL injection payloads on the id parameter of overtime_add.php
Patch Information
No official vendor patch is referenced in the NVD entry for CVE-2024-10422. SourceCodester Attendance and Payroll System 1.0 is a community-distributed application, and remediation requires source-level modification by the operator. Replace string concatenation in overtime_add.php with prepared statements using PDO or mysqli with bound parameters. Additional resources are available at the SourceCodester Security Resources page and the VulDB advisory.
Workarounds
- Apply server-side input validation to enforce numeric-only values on the id parameter before reaching the database layer
- Run the database connection account with the minimum required privileges to limit the impact of successful injection
- Disable or remove the overtime management feature if it is not actively used in the deployment
- Place the application behind a reverse proxy with SQL injection filtering enabled
# Example: validate numeric id server-side before query execution
# In overtime_add.php, replace direct interpolation with a prepared statement:
#
# $stmt = $conn->prepare("SELECT * FROM overtime WHERE id = ?");
# $stmt->bind_param("i", $id);
# $stmt->execute();
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
