Skip to main content
CVE Vulnerability Database

CVE-2024-3464: Laundry Shop Management System SQLi Flaw

CVE-2024-3464 is a critical SQL injection vulnerability in Oretnom23 Laundry Shop Management System 1.0 affecting the Pelanggan.php file. This article covers the technical details, attack vectors, and mitigation strategies.

Updated:

CVE-2024-3464 Overview

CVE-2024-3464 is a SQL injection vulnerability in SourceCodester Laundry Management System 1.0, also distributed as the Oretnom23 Laundry Shop Management System. The flaw resides in the laporan_filter function of the /application/controller/Pelanggan.php file. Attackers can manipulate the jeniskelamin argument to inject arbitrary SQL statements into backend database queries. The issue is exploitable remotely without authentication or user interaction. Public exploit details have been disclosed, lowering the barrier to weaponization. The vulnerability is tracked as VDB-259745 and classified under CWE-89.

Critical Impact

Unauthenticated remote attackers can extract, modify, or destroy database contents by injecting SQL through the jeniskelamin parameter handled by laporan_filter.

Affected Products

  • Oretnom23 Laundry Shop Management System 1.0
  • SourceCodester Laundry Management System 1.0
  • Deployments using /application/controller/Pelanggan.php with the vulnerable laporan_filter function

Discovery Timeline

  • 2024-04-08 - CVE-2024-3464 published to NVD
  • 2025-01-17 - Last updated in NVD database

Technical Details for CVE-2024-3464

Vulnerability Analysis

The vulnerability is a classic SQL injection issue caused by directly concatenating user-controlled input into a database query. The laporan_filter function in /application/controller/Pelanggan.php accepts the jeniskelamin parameter and passes it to a SQL statement without parameterization or sanitization. An attacker controlling this parameter can break out of the intended query context and append arbitrary clauses such as UNION SELECT payloads, time-based blind injection probes, or stacked queries depending on the database driver in use.

Successful exploitation allows unauthenticated attackers to read sensitive tables, including customer records and authentication material, alter financial or operational data, and potentially achieve secondary impacts such as administrator account takeover. Because the application is a small-business management system, compromised databases typically contain personally identifiable information (PII) of customers.

Root Cause

The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The laporan_filter function does not apply prepared statements, bound parameters, or input validation to the jeniskelamin value before incorporating it into the query string. Standard CodeIgniter query builder or PDO parameterized queries would have prevented this class of injection.

Attack Vector

The attack is network-based and requires no privileges or user interaction. An attacker sends a crafted HTTP request to the endpoint backed by laporan_filter, supplying a malicious value in the jeniskelamin parameter. The injected SQL is executed within the application's database context. A public proof of concept is documented in the GitHub CVE PoC Repository and indexed at VulDB #259745.

No verified exploitation code is reproduced here. Refer to the linked advisories for the technical proof of concept.

Detection Methods for CVE-2024-3464

Indicators of Compromise

  • HTTP requests to URIs invoking the Pelanggan controller's laporan_filter action containing SQL metacharacters such as ', --, UNION, SLEEP(, or INFORMATION_SCHEMA in the jeniskelamin parameter.
  • Anomalous response sizes or response-time spikes from the application web tier correlated with requests carrying the jeniskelamin argument.
  • Database error messages referencing syntax errors in queries originating from Pelanggan.php.

Detection Strategies

  • Deploy web application firewall (WAF) signatures that flag SQL injection payloads targeting the jeniskelamin parameter.
  • Enable database query logging and alert on queries that include suspicious patterns such as UNION SELECT, conditional OR 1=1, or out-of-band DNS lookups.
  • Review application access logs for repeated requests to the laporan_filter endpoint from a single source over short intervals.

Monitoring Recommendations

  • Forward web server, application, and database logs to a centralized analytics platform for correlation and retention.
  • Baseline normal parameter values for jeniskelamin (expected to be a short gender code) and alert on deviations in length or character class.
  • Monitor outbound network traffic from the database host for unexpected DNS or HTTP callbacks indicative of out-of-band SQL injection.

How to Mitigate CVE-2024-3464

Immediate Actions Required

  • Restrict public exposure of the Laundry Management System administrative interface using network ACLs or VPN-only access until a fix is applied.
  • Audit the database for unauthorized accounts, altered records, and exfiltration indicators given that exploit details are public.
  • Rotate database credentials and any application secrets that may have been exposed through the vulnerable query.

Patch Information

No vendor patch is listed in the NVD entry or vendor resources for CVE-2024-3464. Organizations running SourceCodester Laundry Management System 1.0 or the Oretnom23 distribution should modify /application/controller/Pelanggan.php to use parameterized queries for all user-supplied inputs, particularly within the laporan_filter function. Track updates through the VulDB advisory.

Workarounds

  • Replace the vulnerable concatenated SQL in laporan_filter with CodeIgniter query bindings or PDO prepared statements that bind jeniskelamin as a parameter.
  • Add server-side input validation that restricts jeniskelamin to an allowlist of expected values such as L and P.
  • Place the application behind a WAF with SQL injection rules enabled, and block requests containing SQL metacharacters in the jeniskelamin parameter.
  • Run the application's database account with least privilege so that injection cannot reach administrative tables or execute file operations.
bash
# Example WAF rule (ModSecurity) to block SQLi patterns in the jeniskelamin parameter
SecRule ARGS:jeniskelamin "@rx (?i)(union(\s)+select|sleep\(|information_schema|--|';)" \
    "id:1003464,phase:2,deny,status:403,log,msg:'CVE-2024-3464 SQLi attempt against laporan_filter'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.