CVE-2024-6802: Computer Laboratory Management SQL Injection

CVE-2024-6802 Overview

CVE-2024-6802 is a SQL injection vulnerability in SourceCodester Computer Laboratory Management System 1.0. The flaw resides in the /lms/classes/Master.php?f=save_record endpoint, where the id parameter is passed directly into a backend SQL query without sanitization. Remote attackers with low-privileged access can manipulate the parameter to alter query logic and access or modify database contents. The exploit details have been publicly disclosed, increasing the risk of opportunistic abuse against exposed deployments. The weakness is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Remote attackers can inject arbitrary SQL through the id parameter of save_record, exposing stored credentials, lab inventory, and user records to unauthorized read and write operations.

Affected Products

• SourceCodester Computer Laboratory Management System 1.0
• Deployments using the unpatched /lms/classes/Master.php handler
• Any forks redistributing the vulnerable save_record function

Discovery Timeline

• 2024-07-17 - CVE-2024-6802 published to the National Vulnerability Database (NVD)
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-6802

Vulnerability Analysis

The vulnerable code path is reached through HTTP requests targeting /lms/classes/Master.php?f=save_record. The save_record function dispatches input parameters into SQL statements that build update or insert queries against the application's MySQL backend. The id parameter is concatenated into the query string rather than bound through a prepared statement.

An attacker submits crafted values in the id field to break out of the intended query context. From there, the attacker can append UNION SELECT, boolean-based, or time-based payloads to enumerate the schema and retrieve arbitrary records. Because the application authenticates users for record operations, the attacker needs only a low-privileged account to reach the sink.

Successful exploitation gives partial read, write, and availability impact on the database. This includes user credentials, lab assignments, and audit data managed by the system.

Root Cause

The root cause is missing input neutralization on the id parameter before its use in a dynamic SQL statement. The Master.php handler concatenates user-controlled HTTP input into the query string instead of using parameterized queries or an ORM layer. No allow-list validation or type casting filters non-numeric content from the id value.

Attack Vector

The attack vector is network-accessible HTTP. An authenticated attacker sends a POST or GET request to /lms/classes/Master.php?f=save_record with a malicious id payload. No user interaction is required beyond the attacker's own session. The exploit is fully remote and works against any internet-exposed instance of the application.

The vulnerability is described in prose because no verified proof-of-concept code is available in authoritative sources. Refer to the Kunull CVE Report 2024-6802 and VulDB #271704 for additional technical context.

Detection Methods for CVE-2024-6802

Indicators of Compromise

• HTTP requests to /lms/classes/Master.php?f=save_record containing SQL metacharacters such as single quotes, UNION, SLEEP(, or comment sequences (--, #) in the id parameter
• Web server access logs showing repeated save_record calls from the same source with varying id payloads
• Database error messages tied to malformed queries originating from the Master.php handler
• Unexpected schema enumeration queries against the information_schema tables

Detection Strategies

• Deploy web application firewall (WAF) rules that inspect the id parameter for SQL injection signatures on requests targeting Master.php
• Enable MySQL general query logging during incident response to correlate suspicious queries with originating HTTP sessions
• Hunt for anomalous response sizes or response times on save_record endpoints that may indicate union-based or time-based extraction

Monitoring Recommendations

• Forward application and database logs to a centralized logging platform for correlation across HTTP and SQL layers
• Alert on authenticated sessions performing high-frequency calls to Master.php endpoints outside normal user behavior
• Track outbound data transfer volumes from the database host to identify bulk exfiltration following injection attempts

How to Mitigate CVE-2024-6802

Immediate Actions Required

• Restrict network access to the Computer Laboratory Management System until a vendor fix is applied, placing it behind a VPN or IP allow-list
• Revoke and rotate credentials for any database accounts used by the application, assuming potential exposure
• Audit the users and authentication tables for unauthorized accounts or privilege changes introduced through injection

Patch Information

No vendor patch has been published for SourceCodester Computer Laboratory Management System 1.0 at the time of NVD publication. Operators should monitor the SourceCodester Resource Hub for updated releases and review the VulDB #271704 Report for tracking changes.

Workarounds

• Modify Master.php to cast the id parameter to an integer with intval() or use prepared statements via PDO or mysqli with bound parameters
• Deploy a WAF rule that blocks requests to /lms/classes/Master.php?f=save_record when the id parameter contains non-numeric characters
• Remove or disable the save_record function path if not required for production operations
• Apply least-privilege database permissions so the application account cannot read sensitive tables or execute administrative statements

# Example WAF rule (ModSecurity) blocking non-numeric id values on save_record
SecRule REQUEST_URI "@contains /lms/classes/Master.php" \
    "chain,phase:2,deny,status:403,id:1006802,msg:'CVE-2024-6802 SQLi attempt'"
    SecRule ARGS:f "@streq save_record" "chain"
        SecRule ARGS:id "!@rx ^[0-9]+$"