CVE-2024-5118: Event Registration System SQLi Vulnerability

CVE-2024-5118 Overview

CVE-2024-5118 is a SQL injection vulnerability in SourceCodester Event Registration System 1.0, developed by oretnom23. The flaw resides in the /admin/login.php endpoint, where the username and password parameters are passed unsanitized into SQL queries. Remote attackers can exploit this vulnerability without authentication or user interaction. The issue is tracked as VDB-265198 and has been publicly disclosed with proof-of-concept material available on GitHub. The weakness is classified under CWE-89, Improper Neutralization of Special Elements used in an SQL Command.

Critical Impact

Unauthenticated attackers can bypass administrator authentication and access or manipulate backend database contents through crafted login requests.

Affected Products

• SourceCodester Event Registration System 1.0
• oretnom23 event_registration_system 1.0
• CPE: cpe:2.3:a:oretnom23:event_registration_system:1.0:*:*:*:*:*:*:*

Discovery Timeline

• 2024-05-20 - CVE-2024-5118 published to NVD
• 2025-02-10 - Last updated in NVD database

Technical Details for CVE-2024-5118

Vulnerability Analysis

The vulnerability exists in the administrator login handler at /admin/login.php. The application accepts the username and password form fields and concatenates them directly into a SQL query without parameterization or input sanitization. An attacker can submit crafted input containing SQL meta-characters to alter the query logic.

Because the affected endpoint is the administrative login page, successful exploitation can yield administrative session access. Attackers can also read, modify, or delete records in the underlying database depending on the database account's privileges. The attack requires no authentication, no privileges, and no user interaction, and is reachable over the network.

Root Cause

The root cause is improper neutralization of user-supplied input in SQL statements [CWE-89]. The login routine constructs queries through direct string concatenation rather than prepared statements with bound parameters. Standard input filtering, type validation, and least-privilege database accounts are absent in the affected release.

Attack Vector

Exploitation occurs over HTTP by submitting a POST request to /admin/login.php with malicious payloads in the username or password fields. Classic tautology payloads such as ' OR '1'='1 or union-based payloads can be used to bypass authentication or exfiltrate data. A public proof-of-concept is hosted on the BurakSevben CVE repository.

The vulnerability is described in prose only; refer to the linked PoC for the exact request structure and payload syntax used by the original reporter.

Detection Methods for CVE-2024-5118

Indicators of Compromise

• HTTP POST requests to /admin/login.php containing SQL meta-characters such as single quotes, --, UNION SELECT, OR 1=1, or SLEEP( in the username or password parameters.
• Web server access logs showing repeated failed administrator login attempts followed by a successful authentication from the same source.
• Anomalous outbound database query patterns or unexpected INFORMATION_SCHEMA access originating from the application service account.

Detection Strategies

• Deploy web application firewall (WAF) signatures targeting SQL injection patterns directed at PHP login endpoints.
• Enable verbose query logging on the backend database and alert on queries containing concatenated user input from authentication flows.
• Correlate web access logs with database audit logs to identify login requests producing unusually long or error-generating SQL statements.

Monitoring Recommendations

• Monitor /admin/login.php for elevated request rates, payload length anomalies, and non-printable characters in POST bodies.
• Track administrator session creations and flag sessions established without a corresponding successful credential validation event.
• Alert on database errors emitted to HTTP responses, which often indicate active SQL injection probing.

How to Mitigate CVE-2024-5118

Immediate Actions Required

• Restrict access to /admin/login.php to trusted IP ranges or place the administrative interface behind a VPN until a fix is applied.
• Deploy WAF rules to block SQL injection payloads targeting the username and password parameters.
• Rotate any administrator credentials and database accounts that may have been exposed, and review database audit logs for signs of prior exploitation.

Patch Information

No vendor patch has been published for SourceCodester Event Registration System 1.0 in the referenced advisories. Organizations running this application should evaluate whether continued use is acceptable. If the application must remain in production, source-level remediation is required: replace string concatenation with prepared statements using parameterized queries (PDO::prepare with bound parameters or mysqli prepared statements), apply server-side input validation, and run the database under a least-privilege account.

Workarounds

• Implement a reverse proxy or WAF rule set that rejects requests to /admin/login.php containing SQL syntax characters in form fields.
• Modify the affected PHP code to use parameterized queries and reject inputs that do not match expected character classes.
• Disable the administrative interface entirely when not actively in use, and remove the application from internet-facing networks where feasible.

# Example ModSecurity rule to block common SQLi patterns on the admin login endpoint
SecRule REQUEST_URI "@streq /admin/login.php" \
    "phase:2,chain,deny,status:403,id:1005118,msg:'Possible SQLi on Event Registration System admin login'"
    SecRule ARGS:username|ARGS:password "@rx (?i)(\b(union|select|or|and)\b.*\b(select|from|where)\b|--|';|\bsleep\s*\()"