CVE-2024-5895 Overview
CVE-2024-5895 is a SQL injection vulnerability in SourceCodester Employee and Visitor Gate Pass Logging System 1.0, developed by oretnom23. The flaw resides in the delete_users function within /classes/Users.php?f=delete. Manipulation of the id parameter allows attackers to inject arbitrary SQL statements into the underlying database query. The vulnerability is remotely exploitable and requires only low-privileged authentication. The exploit has been publicly disclosed under VulDB identifier VDB-268139, increasing the risk of opportunistic exploitation against exposed instances [CWE-89].
Critical Impact
Authenticated remote attackers can manipulate database queries through the id parameter to read, modify, or delete records in the application database.
Affected Products
- SourceCodester Employee and Visitor Gate Pass Logging System 1.0
- Vendor: oretnom23
- Component: /classes/Users.php (function delete_users)
Discovery Timeline
- 2024-06-12 - CVE-2024-5895 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-5895
Vulnerability Analysis
The vulnerability is a SQL injection flaw classified under [CWE-89]. The delete_users function in /classes/Users.php accepts an id parameter from the HTTP request when the f=delete action is invoked. The application passes this parameter into a SQL DELETE statement without proper sanitization or parameterized query binding. An attacker supplies crafted SQL syntax in the id argument to break out of the original query context. Successful exploitation allows the attacker to read sensitive data, modify records, or delete additional rows beyond the intended target. The EPSS score is 0.077% (22.81 percentile), reflecting limited observed exploitation activity but does not reduce the technical risk to exposed instances.
Root Cause
The root cause is improper neutralization of special elements in an SQL command. The delete_users handler concatenates the user-supplied id value directly into a SQL statement instead of using prepared statements with bound parameters. PHP database APIs such as PDO and MySQLi both support parameter binding, but the affected code path does not apply this protection.
Attack Vector
The attack vector is network-based and requires low privileges on the application. An attacker submits a crafted HTTP request to /classes/Users.php?f=delete with a malicious id value. No user interaction is required. The vulnerability mechanics are documented in the public GitHub CVE Analysis and the VulDB #268139 entry.
No verified exploit code is reproduced here. See the public write-up at
https://github.com/Hefei-Coffee/cve/blob/main/sql11.md for technical details.
Detection Methods for CVE-2024-5895
Indicators of Compromise
- HTTP requests to /classes/Users.php?f=delete containing SQL metacharacters (single quotes, UNION, SELECT, --, ;) in the id parameter.
- Web server logs showing unusually long or URL-encoded id values targeting the delete endpoint.
- Unexpected DELETE or SELECT statements in MySQL query logs originating from the application database user.
- Unexplained removal or modification of user records in the users table.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect query parameters for SQL injection patterns targeting Users.php.
- Enable MySQL general query logging temporarily to identify anomalous statements correlated to the delete_users function.
- Correlate application access logs with database audit trails to identify mismatches between expected and executed queries.
Monitoring Recommendations
- Alert on repeated 500-series HTTP responses from /classes/Users.php, which often indicate SQL syntax errors caused by injection attempts.
- Monitor authenticated session activity for accounts performing administrative actions outside business hours.
- Track outbound database connections and query volumes from the web tier for sudden spikes.
How to Mitigate CVE-2024-5895
Immediate Actions Required
- Restrict access to the application to trusted networks or place it behind a VPN until a vendor fix is available.
- Apply WAF signatures that block SQL injection payloads targeting the id parameter on /classes/Users.php.
- Audit existing user accounts and database contents for signs of unauthorized modification.
- Rotate credentials for any administrative accounts stored in the affected database.
Patch Information
No vendor patch is currently referenced in the NVD entry or VulDB advisory for SourceCodester Employee and Visitor Gate Pass Logging System 1.0. Organizations using this application should consider replacing the affected delete_users implementation with a parameterized query or retiring the application until an official fix is published. Refer to the VulDB #268139 advisory for ongoing updates.
Workarounds
- Modify the delete_users function in /classes/Users.php to use PDO prepared statements with bound parameters for the id value.
- Apply input validation that restricts the id parameter to numeric characters before reaching the database layer.
- Limit the database user privileges of the application account so it cannot execute destructive statements beyond the users table.
- Disable the application entirely if it is not required for business operations.
# Example: enforce numeric-only id parameter at the web server (nginx)
location /classes/Users.php {
if ($arg_id !~ "^[0-9]+$") {
return 400;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
