CVE-2024-3464 Overview
CVE-2024-3464 is a SQL injection vulnerability in SourceCodester Laundry Management System 1.0, also distributed as the Oretnom23 Laundry Shop Management System. The flaw resides in the laporan_filter function of the /application/controller/Pelanggan.php file. Attackers can manipulate the jeniskelamin argument to inject arbitrary SQL statements into backend database queries. The issue is exploitable remotely without authentication or user interaction. Public exploit details have been disclosed, lowering the barrier to weaponization. The vulnerability is tracked as VDB-259745 and classified under CWE-89.
Critical Impact
Unauthenticated remote attackers can extract, modify, or destroy database contents by injecting SQL through the jeniskelamin parameter handled by laporan_filter.
Affected Products
- Oretnom23 Laundry Shop Management System 1.0
- SourceCodester Laundry Management System 1.0
- Deployments using /application/controller/Pelanggan.php with the vulnerable laporan_filter function
Discovery Timeline
- 2024-04-08 - CVE-2024-3464 published to NVD
- 2025-01-17 - Last updated in NVD database
Technical Details for CVE-2024-3464
Vulnerability Analysis
The vulnerability is a classic SQL injection issue caused by directly concatenating user-controlled input into a database query. The laporan_filter function in /application/controller/Pelanggan.php accepts the jeniskelamin parameter and passes it to a SQL statement without parameterization or sanitization. An attacker controlling this parameter can break out of the intended query context and append arbitrary clauses such as UNION SELECT payloads, time-based blind injection probes, or stacked queries depending on the database driver in use.
Successful exploitation allows unauthenticated attackers to read sensitive tables, including customer records and authentication material, alter financial or operational data, and potentially achieve secondary impacts such as administrator account takeover. Because the application is a small-business management system, compromised databases typically contain personally identifiable information (PII) of customers.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The laporan_filter function does not apply prepared statements, bound parameters, or input validation to the jeniskelamin value before incorporating it into the query string. Standard CodeIgniter query builder or PDO parameterized queries would have prevented this class of injection.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker sends a crafted HTTP request to the endpoint backed by laporan_filter, supplying a malicious value in the jeniskelamin parameter. The injected SQL is executed within the application's database context. A public proof of concept is documented in the GitHub CVE PoC Repository and indexed at VulDB #259745.
No verified exploitation code is reproduced here. Refer to the linked advisories for the technical proof of concept.
Detection Methods for CVE-2024-3464
Indicators of Compromise
- HTTP requests to URIs invoking the Pelanggan controller's laporan_filter action containing SQL metacharacters such as ', --, UNION, SLEEP(, or INFORMATION_SCHEMA in the jeniskelamin parameter.
- Anomalous response sizes or response-time spikes from the application web tier correlated with requests carrying the jeniskelamin argument.
- Database error messages referencing syntax errors in queries originating from Pelanggan.php.
Detection Strategies
- Deploy web application firewall (WAF) signatures that flag SQL injection payloads targeting the jeniskelamin parameter.
- Enable database query logging and alert on queries that include suspicious patterns such as UNION SELECT, conditional OR 1=1, or out-of-band DNS lookups.
- Review application access logs for repeated requests to the laporan_filter endpoint from a single source over short intervals.
Monitoring Recommendations
- Forward web server, application, and database logs to a centralized analytics platform for correlation and retention.
- Baseline normal parameter values for jeniskelamin (expected to be a short gender code) and alert on deviations in length or character class.
- Monitor outbound network traffic from the database host for unexpected DNS or HTTP callbacks indicative of out-of-band SQL injection.
How to Mitigate CVE-2024-3464
Immediate Actions Required
- Restrict public exposure of the Laundry Management System administrative interface using network ACLs or VPN-only access until a fix is applied.
- Audit the database for unauthorized accounts, altered records, and exfiltration indicators given that exploit details are public.
- Rotate database credentials and any application secrets that may have been exposed through the vulnerable query.
Patch Information
No vendor patch is listed in the NVD entry or vendor resources for CVE-2024-3464. Organizations running SourceCodester Laundry Management System 1.0 or the Oretnom23 distribution should modify /application/controller/Pelanggan.php to use parameterized queries for all user-supplied inputs, particularly within the laporan_filter function. Track updates through the VulDB advisory.
Workarounds
- Replace the vulnerable concatenated SQL in laporan_filter with CodeIgniter query bindings or PDO prepared statements that bind jeniskelamin as a parameter.
- Add server-side input validation that restricts jeniskelamin to an allowlist of expected values such as L and P.
- Place the application behind a WAF with SQL injection rules enabled, and block requests containing SQL metacharacters in the jeniskelamin parameter.
- Run the application's database account with least privilege so that injection cannot reach administrative tables or execute file operations.
# Example WAF rule (ModSecurity) to block SQLi patterns in the jeniskelamin parameter
SecRule ARGS:jeniskelamin "@rx (?i)(union(\s)+select|sleep\(|information_schema|--|';)" \
"id:1003464,phase:2,deny,status:403,log,msg:'CVE-2024-3464 SQLi attempt against laporan_filter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
