CVE-2024-2999 Overview
CVE-2024-2999 is a SQL injection vulnerability in Campcodes Online Art Gallery Management System 1.0. The flaw resides in the /admin/adminHome.php file, where the uname parameter is incorporated into a database query without proper sanitization. Attackers can manipulate this parameter to inject arbitrary SQL statements. The vulnerability is exploitable remotely without authentication or user interaction. Public disclosure of the exploit has occurred, increasing the risk of opportunistic attacks against exposed installations. The issue is tracked as VulDB identifier VDB-258201 and is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents from the admin login interface through SQL injection in the uname parameter.
Affected Products
- Campcodes Online Art Gallery Management System 1.0
- Component: /admin/adminHome.php
- Vulnerable parameter: uname
Discovery Timeline
- 2024-03-27 - CVE-2024-2999 published to NVD
- 2025-03-05 - Last updated in NVD database
Technical Details for CVE-2024-2999
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input passed to the uname parameter on the administrative endpoint /admin/adminHome.php. The application concatenates this value directly into an SQL query rather than using parameterized statements. As a result, attackers can break out of the intended query context and append arbitrary SQL clauses.
The attack requires no privileges and no user interaction. Because the endpoint is part of the administrative interface, successful exploitation can disclose credentials, session data, or other sensitive records stored in the backend database. The CVSS vector indicates impact limited to confidentiality, suggesting data extraction is the primary outcome rather than direct modification or denial of service.
The Exploit Prediction Scoring System (EPSS) probability is 0.149% at the 34.9th percentile, indicating low expected exploitation activity at this time. However, the disclosure of working exploit details elevates practical risk for unpatched installations.
Root Cause
The root cause is the absence of input validation and prepared statements when constructing the SQL query for administrator authentication. The uname value is treated as trusted string data and inserted into the query string directly, allowing SQL metacharacters such as single quotes, comments, and UNION clauses to alter query semantics.
Attack Vector
An unauthenticated attacker submits a crafted HTTP request to /admin/adminHome.php containing a malicious uname value. By using payloads such as boolean-based, error-based, or UNION-based SQL injection techniques, the attacker can enumerate database schema and extract row contents. The attack is fully remote over the network and can be automated using tools such as sqlmap.
No verified proof-of-concept code is referenced beyond the GitHub Vulnerability PDF and the VulDB entry #258201.
Detection Methods for CVE-2024-2999
Indicators of Compromise
- HTTP POST or GET requests to /admin/adminHome.php containing SQL metacharacters in the uname parameter, such as single quotes, --, UNION SELECT, OR 1=1, or SLEEP(.
- Web server access logs showing repeated requests to /admin/adminHome.php from a single source within a short window.
- Database error messages returned in HTTP responses referencing MySQL syntax errors.
Detection Strategies
- Inspect web server and application logs for anomalous uname parameter values containing SQL syntax tokens.
- Deploy a web application firewall (WAF) with signatures tuned to detect SQL injection patterns targeting administrative endpoints.
- Enable database query auditing to flag malformed or unusually structured queries originating from the application user.
Monitoring Recommendations
- Alert on authentication endpoint requests that produce SQL errors or unusually large response bodies indicative of data extraction.
- Monitor for outbound data transfers from the database server that deviate from baseline application behavior.
- Track repeated failed login attempts from the same IP that include non-standard characters in credential fields.
How to Mitigate CVE-2024-2999
Immediate Actions Required
- Restrict network access to /admin/adminHome.php using IP allowlists or VPN-only access until a fix is applied.
- Deploy WAF rules to block requests containing SQL injection patterns in the uname parameter.
- Review database and application logs for prior exploitation attempts and rotate any administrator credentials that may have been exposed.
Patch Information
No vendor patch is referenced in the available advisory data. Campcodes has not published a fixed version for Online Art Gallery Management System 1.0 in the referenced sources. Operators should consult the vendor directly or consider migrating away from the affected application until a fix is released. See the VulDB advisory for ongoing updates.
Workarounds
- Replace dynamic SQL concatenation in /admin/adminHome.php with parameterized queries or prepared statements using PDO or mysqli with bound parameters.
- Apply server-side input validation to reject non-alphanumeric characters in the uname parameter where business logic permits.
- Restrict the database account used by the application to least-privilege read access where feasible, limiting the impact of a successful injection.
- Disable verbose database error messages in production to reduce information available to attackers performing error-based injection.
# Example ModSecurity WAF rule to block SQL metacharacters in the uname parameter
SecRule ARGS:uname "@rx (?i)(union(\s+all)?\s+select|--|\bor\b\s+\d+=\d+|sleep\s*\(|';)" \
"id:1002999,phase:2,deny,status:403,log,\
msg:'CVE-2024-2999 SQL Injection attempt on adminHome.php uname parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
