CVE-2024-6066 Overview
CVE-2024-6066 is a SQL injection vulnerability in SourceCodester Best House Rental Management System 1.0. The flaw resides in the payment_report.php script, where the month_of parameter is concatenated into a SQL query without proper sanitization. Authenticated attackers can manipulate the parameter remotely to execute arbitrary SQL statements against the backend database. The vulnerability is tracked under VulDB identifier VDB-268794 and maps to CWE-89. A public proof-of-concept has been disclosed, increasing the likelihood of opportunistic exploitation against exposed installations.
Critical Impact
Remote attackers with low privileges can extract, modify, or delete tenant, payment, and account data stored in the application database.
Affected Products
- Mayurik Best House Rental Management System 1.0
- SourceCodester Best House Rental Management System 1.0
- Deployments using the vulnerable payment_report.php endpoint
Discovery Timeline
- 2024-06-17 - CVE-2024-6066 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6066
Vulnerability Analysis
The vulnerability is a classic SQL injection flaw in the payment reporting feature of the application. The payment_report.php script accepts a month_of HTTP parameter and inserts it directly into a SQL query string. Because the input is not parameterized or sanitized, attackers can break out of the intended query context and append arbitrary SQL syntax.
Successful exploitation grants read and write access to database tables containing rental records, tenant information, and payment history. Attackers can use UNION-based or boolean-based techniques to exfiltrate data, escalate access, or pivot to administrative functionality. The application requires a low-privileged authenticated session, but no user interaction is needed beyond submitting the crafted request.
The attack is launched over the network against the web application. Public disclosure of the proof-of-concept lowers the barrier to weaponization, since attackers can adapt existing payloads with minimal effort.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The developer concatenated user-supplied input from the month_of parameter directly into a SQL statement instead of using prepared statements or parameterized queries. PHP applications using the mysqli or legacy mysql_* APIs are particularly susceptible to this pattern when input filtering is omitted.
Attack Vector
An authenticated attacker sends an HTTP request to payment_report.php with a malicious value in the month_of parameter. The injected SQL is executed in the context of the application's database user, allowing the attacker to read arbitrary tables, modify records, or invoke database functions. Refer to the GitHub proof-of-concept for the exact request structure and payload format.
// No verified exploit code is reproduced here.
// See the linked PoC for the full request and payload.
Detection Methods for CVE-2024-6066
Indicators of Compromise
- HTTP requests to payment_report.php containing SQL metacharacters such as ', --, UNION, or SLEEP( in the month_of parameter
- Web server access logs showing repeated requests to the payment report endpoint from a single source
- Database error messages referencing syntax errors near month_of values in application logs
- Unexpected outbound DNS lookups or HTTP callbacks originating from the database server process
Detection Strategies
- Deploy web application firewall rules that flag SQL injection signatures targeting the payment_report.php endpoint
- Enable database query logging and alert on anomalous queries containing UNION SELECT, INFORMATION_SCHEMA, or stacked statements
- Correlate authenticated session activity with reporting endpoint usage to identify low-privileged accounts performing administrative-style queries
Monitoring Recommendations
- Monitor authentication logs for credential stuffing and brute-force attempts that precede injection activity
- Track file system access from the web server process for signs of database file read or write outside normal patterns
- Alert on new database accounts, privilege changes, or schema modifications occurring outside maintenance windows
How to Mitigate CVE-2024-6066
Immediate Actions Required
- Restrict access to the application to trusted networks or place it behind a VPN until a fix is applied
- Audit the database for unauthorized records, new accounts, or modified payment entries
- Rotate database credentials and application session secrets if exploitation is suspected
- Review web server logs for prior requests targeting payment_report.php with suspicious month_of values
Patch Information
No official vendor patch has been published for SourceCodester Best House Rental Management System 1.0. Operators should treat the codebase as unmaintained and apply source-level fixes. Replace dynamic SQL construction in payment_report.php with prepared statements using mysqli::prepare or PDO parameter binding. Validate that month_of matches an expected date format before query execution. Consult the VulDB entry for VDB-268794 for additional references.
Workarounds
- Apply a WAF virtual patch that rejects requests to payment_report.php containing SQL metacharacters in the month_of parameter
- Implement server-side input validation enforcing a strict YYYY-MM format on the month_of value
- Restrict the application database account to least-privilege permissions, removing FILE, DROP, and write access where feasible
- Disable or remove the payment reporting feature if it is not in active use
# Example WAF rule (ModSecurity) blocking SQLi patterns on the vulnerable endpoint
SecRule REQUEST_URI "@contains payment_report.php" \
"id:1006066,phase:2,deny,status:403,\
chain,msg:'CVE-2024-6066 SQLi attempt on month_of parameter'"
SecRule ARGS:month_of "@rx (?i)(union|select|sleep\(|--|';|/\*)" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
