CVE-2024-33965 Overview
CVE-2024-33965 is a SQL injection vulnerability [CWE-89] affecting Janobe PayPal, Credit Card and Debit Card Payment version 1.0. The flaw resides in the view parameter of /tubigangarden/admin/mod_accomodation/index.php. An unauthenticated attacker can send a crafted query to the server and retrieve all data stored in the backend database. Related Janobe products including the School Attendance Monitoring System and School Event Management System share the same vulnerable codebase. The issue was published to the National Vulnerability Database (NVD) on August 6, 2024.
Critical Impact
Remote, unauthenticated attackers can extract the entire contents of the application database, including credentials and payment records, through a single crafted HTTP request.
Affected Products
- Janobe PayPal 1.0
- Janobe Credit Card 1.0 and Debit Card Payment 1.0
- Janobe School Attendance Monitoring System 1.0 and School Event Management System 1.0
Discovery Timeline
- 2024-08-06 - CVE-2024-33965 published to NVD
- 2024-08-08 - Last updated in NVD database
Technical Details for CVE-2024-33965
Vulnerability Analysis
The vulnerability is a classic SQL injection [CWE-89] in the administrative module of multiple Janobe PHP applications. The view GET parameter passed to /tubigangarden/admin/mod_accomodation/index.php is concatenated directly into a SQL statement without parameterization or input filtering. An attacker who supplies SQL syntax in that parameter alters query semantics and forces the backend to return arbitrary rows.
Because the endpoint is reachable over the network and does not require authentication or user interaction, exploitation requires only HTTP access to the application. Successful injection yields full read access to database contents, which in payment-processing software typically includes cardholder data, account credentials, and transaction history.
Root Cause
The root cause is the absence of prepared statements or input sanitization on the view parameter. The PHP code embeds the attacker-controlled string directly into a SQL query executed by the MySQL backend. The same coding pattern appears across the affected Janobe products, indicating shared vulnerable components.
Attack Vector
The attack vector is remote and network-based. An attacker issues a GET request to /tubigangarden/admin/mod_accomodation/index.php with a malicious value in the view parameter, using UNION-based or boolean-based payloads to enumerate tables, columns, and rows. No credentials, tokens, or user actions are required.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in the INCIBE Security Notice.
Detection Methods for CVE-2024-33965
Indicators of Compromise
- HTTP requests to /tubigangarden/admin/mod_accomodation/index.php containing SQL keywords such as UNION, SELECT, SLEEP, INFORMATION_SCHEMA, or -- in the view parameter.
- Unusual spikes in 500-series responses or abnormally long response times from the admin module, suggesting time-based blind SQL injection.
- Outbound database connections or queries originating from the web server outside normal application workflows.
Detection Strategies
- Inspect web server access logs for encoded payloads (%27, %20UNION%20, 0x) targeting the view parameter.
- Deploy a Web Application Firewall (WAF) rule that flags SQL metacharacters submitted to the admin module endpoints.
- Correlate web request logs with database audit logs to identify queries containing parameter values not produced by the application's normal code paths.
Monitoring Recommendations
- Enable verbose query logging on the MySQL backend and alert on INFORMATION_SCHEMA reads from the application service account.
- Monitor authentication tables for read access patterns inconsistent with login workflows.
- Track repeated requests to mod_accomodation/index.php from a single source IP within short time windows.
How to Mitigate CVE-2024-33965
Immediate Actions Required
- Remove the vulnerable Janobe application from public network exposure until a vendor fix is available.
- Restrict access to the /admin/ path with IP allowlisting or HTTP basic authentication at the web server layer.
- Rotate database credentials and any payment-processing secrets stored in the application configuration.
Patch Information
No vendor patch or advisory URL is listed in the NVD record at the time of publication. Refer to the INCIBE Security Notice for the latest vendor guidance. Operators should consider migrating off Janobe 1.0 components until a fixed release is published.
Workarounds
- Deploy WAF signatures that block SQL injection payloads on the view parameter and other admin module inputs.
- Refactor the affected PHP code to use parameterized queries with PDO or mysqli prepared statements instead of string concatenation.
- Enforce least-privilege database accounts so the web application cannot read tables outside its functional scope.
# Example ModSecurity rule to block SQLi attempts on the vulnerable endpoint
SecRule REQUEST_URI "@contains /tubigangarden/admin/mod_accomodation/index.php" \
"chain,id:1003396,phase:2,deny,status:403,msg:'Possible SQLi on Janobe view parameter'"
SecRule ARGS:view "@rx (?i)(union|select|sleep\(|information_schema|--|;)" "t:urlDecodeUni,t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
