CVE-2024-33972 Overview
CVE-2024-33972 is a SQL injection vulnerability [CWE-89] affecting Janobe PayPal, Credit Card and Debit Card Payment version 1.0. The flaw resides in the events parameter of the /report/event_print.php endpoint. Attackers can send a specially crafted query to the server to extract arbitrary data from the backend database. The vulnerability requires no authentication and can be triggered remotely over the network. INCIBE (the Spanish National Cybersecurity Institute) coordinated the disclosure of multiple SQL injection issues across several Janobe products sharing the same codebase.
Critical Impact
Unauthenticated remote attackers can exfiltrate the full contents of the application database, including payment-related records and credentials, by injecting SQL through the events parameter.
Affected Products
- Janobe PayPal 1.0
- Janobe Credit Card 1.0 and Janobe Debit Card Payment 1.0
- Janobe School Attendance Monitoring System 1.0 and Janobe School Event Management System 1.0
Discovery Timeline
- 2024-08-06 - CVE-2024-33972 published to NVD
- 2024-08-08 - Last updated in NVD database
Technical Details for CVE-2024-33972
Vulnerability Analysis
The vulnerability is a classic in-band SQL injection in the reporting module. The /report/event_print.php script accepts an events parameter from the HTTP request and concatenates the value directly into a SQL statement executed against the application database. Because no parameterization, escaping, or input validation is applied, attacker-controlled input becomes part of the query syntax.
An attacker can break out of the original query context using a single quote or numeric delimiter, then append UNION SELECT clauses or boolean conditions to enumerate tables, columns, and rows. The Janobe payment products store cardholder identifiers, transaction records, and administrative credentials, making the database a high-value target. The vulnerability impacts confidentiality but, based on the CVSS vector, does not directly impact integrity or availability.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The event_print.php reporting script builds queries via string concatenation rather than using prepared statements or parameterized queries provided by the PHP MySQLi or PDO interfaces. Janobe products share a common codebase, which is why the same defect propagates across the PayPal, credit card, debit card, school attendance, and school event management applications.
Attack Vector
Exploitation requires only network access to the vulnerable web application. An unauthenticated attacker submits a crafted value for the events parameter to /report/event_print.php. Payloads typically use UNION-based or error-based techniques to retrieve database contents in the HTTP response, or boolean and time-based blind techniques when responses are not directly reflected. No user interaction or prior privileges are required, which makes automated mass scanning a likely exploitation method.
No verified public exploit code is available at this time. Technical details are described in the INCIBE Security Notice.
Detection Methods for CVE-2024-33972
Indicators of Compromise
- HTTP requests to /report/event_print.php containing SQL metacharacters such as ', --, UNION, SELECT, SLEEP(, or INFORMATION_SCHEMA in the events parameter.
- Web server logs showing unusually long or URL-encoded events parameter values originating from a single IP across short time windows.
- Database error messages referencing event_print.php in application or PHP error logs.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect query strings to /report/event_print.php for SQL injection signatures.
- Enable database query auditing and alert on queries that reference reporting tables but originate from anomalous client sessions.
- Correlate web access logs with database slow-query and error logs to identify failed injection attempts that may precede successful exploitation.
Monitoring Recommendations
- Monitor outbound data volumes from the database server for spikes that may indicate bulk extraction via SQL injection.
- Track repeated 200-status responses to /report/event_print.php with variable response sizes, a common signature of UNION-based enumeration.
- Alert on access to administrative tables (users, admins, transactions) from web application service accounts outside normal patterns.
How to Mitigate CVE-2024-33972
Immediate Actions Required
- Restrict access to /report/event_print.php to authenticated administrators using web server access controls until a vendor fix is applied.
- Deploy WAF signatures that block SQL injection payloads targeting the events parameter.
- Audit application database accounts and rotate credentials that may have been exposed through the reporting endpoint.
Patch Information
No vendor patch is referenced in the NVD entry or the INCIBE Security Notice at the time of publication. Operators of Janobe PayPal, Credit Card, Debit Card Payment, School Attendance Monitoring System, and School Event Management System version 1.0 should monitor the vendor for updates and consider replacing the affected components if no fix becomes available.
Workarounds
- Remove or disable the event_print.php reporting feature if it is not required for business operations.
- Place the application behind a reverse proxy that enforces strict input validation, rejecting non-numeric values for the events parameter.
- Apply least-privilege database permissions so the application account cannot read sensitive tables or execute administrative SQL functions.
# Example ModSecurity rule blocking SQL metacharacters in the events parameter
SecRule ARGS:events "@rx (?i)(union(.|\n)*select|sleep\(|information_schema|--|';)" \
"id:1003397,phase:2,deny,status:403,\
msg:'CVE-2024-33972 SQLi attempt against event_print.php'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
