CVE-2024-6372 Overview
CVE-2024-6372 is a SQL injection vulnerability in itsourcecode Tailoring Management System 1.0. The flaw resides in the customeradd.php file, where unsanitized user input is passed into database queries. Attackers can manipulate the fullname, address, phonenumber, sex, email, city, or comment parameters to inject arbitrary SQL statements. The vulnerability is remotely exploitable and requires only low-privilege access. The exploit has been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed deployments. The issue is tracked as VulDB identifier 269805 and is categorized under [CWE-89: SQL Injection].
Critical Impact
Remote attackers with low privileges can inject arbitrary SQL through the customeradd.php form fields, exposing the underlying database to unauthorized read and write operations.
Affected Products
- itsourcecode Tailoring Management System 1.0
- angeljudesuarez tailoring_management_system 1.0
- Deployments using customeradd.php with default configuration
Discovery Timeline
- 2024-06-27 - CVE-2024-6372 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6372
Vulnerability Analysis
The vulnerability stems from improper neutralization of special elements used in an SQL command [CWE-89]. The customeradd.php script accepts user-supplied form data and concatenates it directly into SQL statements without parameterization or input validation. An attacker submitting crafted payloads through the fullname, address, phonenumber, sex, email, city, or comment parameters can break out of the intended query context. The result is execution of attacker-controlled SQL against the backing database. Impact includes unauthorized data disclosure, modification of customer records, and potential authentication bypass through manipulation of related tables.
Root Cause
The root cause is the absence of prepared statements or parameterized queries in the customer-add workflow. User input flows from HTTP POST parameters into SQL strings without sanitization, escaping, or type enforcement. The application also fails to apply allow-list validation on fields such as phonenumber and email, which should accept only constrained character sets.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker authenticated to the application as a low-privilege user can submit a POST request to customeradd.php containing SQL metacharacters in any of the affected fields. The injected payload is executed against the database server, allowing extraction of records using UNION SELECT style payloads or boolean-based blind techniques. No user interaction is required beyond the attacker's own submission.
No verified public proof-of-concept code is included in this advisory. Refer to the GitHub CVE Issue and VulDB #269805 entries for technical details documented by the reporter.
Detection Methods for CVE-2024-6372
Indicators of Compromise
- HTTP POST requests to customeradd.php containing SQL metacharacters such as ', --, UNION, SELECT, or OR 1=1 in form fields
- Web server access logs showing repeated submissions to the customer-add endpoint from a single source IP
- Database error messages referencing syntax errors near user-supplied values in application logs
- Unexpected database queries originating from the application service account during off-hours
Detection Strategies
- Deploy web application firewall rules that match SQL injection signatures targeting POST parameters on customeradd.php
- Enable database query logging and alert on anomalous query structures originating from the tailoring application
- Correlate authentication events with subsequent submissions to identify low-privilege accounts probing input fields
Monitoring Recommendations
- Monitor application and database logs for SQL syntax errors, which often indicate injection probing
- Track request rate and payload entropy on customeradd.php to detect automated scanning
- Alert on database schema reconnaissance queries such as access to information_schema from the application user
How to Mitigate CVE-2024-6372
Immediate Actions Required
- Restrict network access to the Tailoring Management System until a vendor patch is available
- Disable or restrict the customeradd.php endpoint to trusted administrative users only
- Apply web application firewall rules to block SQL metacharacters in the affected parameters
- Review database and application logs for evidence of prior exploitation attempts
Patch Information
No official vendor patch is listed in the NVD record at the time of publication. Operators should monitor the GitHub CVE Issue and VulDB #269805 for vendor updates. Until a fix is released, organizations should rewrite the affected queries to use parameterized statements and validate all input fields against strict allow-lists.
Workarounds
- Replace string concatenation in customeradd.php with PDO prepared statements or mysqli_prepare bound parameters
- Apply server-side input validation enforcing expected formats for phonenumber, email, and sex fields
- Run the database service account with least-privilege rights, removing DDL and cross-database access
- Place the application behind a reverse proxy with SQL injection filtering enabled
# Example ModSecurity rule to block SQLi patterns on customeradd.php
SecRule REQUEST_URI "@contains /customeradd.php" \
"id:1006372,phase:2,deny,status:403,\
msg:'Potential SQLi against CVE-2024-6372',\
chain"
SecRule ARGS:fullname|ARGS:address|ARGS:phonenumber|ARGS:sex|ARGS:email|ARGS:city|ARGS:comment \
"@rx (?i)(union(\s)+select|or\s+1=1|--|;|/\*|xp_)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
