CVE-2024-7374 Overview
CVE-2024-7374 is a SQL injection vulnerability in SourceCodester Simple Realtime Quiz System 1.0. The flaw resides in the /manage_user.php script, where the id parameter is passed to a database query without proper sanitization. Attackers can manipulate this parameter to inject arbitrary SQL statements. The vulnerability is remotely exploitable and requires only low-privilege authenticated access. A public proof-of-concept has been disclosed, increasing the likelihood of opportunistic exploitation against exposed installations. The issue is tracked under VulDB identifier VDB-273358 and classified as [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Remote attackers can extract, modify, or delete database contents through the id parameter in /manage_user.php, with a public PoC available.
Affected Products
- Oretnom23 (SourceCodester) Simple Realtime Quiz System 1.0
- CPE: cpe:2.3:a:oretnom23:simple_realtime_quiz_system:1.0
- PHP/MySQL web application deployments running the affected build
Discovery Timeline
- 2024-08-02 - CVE-2024-7374 published to NVD
- 2024-08-09 - Last updated in NVD database
Technical Details for CVE-2024-7374
Vulnerability Analysis
The Simple Realtime Quiz System exposes an administrative endpoint at /manage_user.php that accepts a user identifier through the id HTTP parameter. The application concatenates this user-supplied value directly into a SQL query without parameterization or input validation. An authenticated attacker can append SQL syntax such as UNION SELECT statements, boolean conditions, or stacked queries to alter query logic.
Successful exploitation allows extraction of credentials, quiz results, user records, and any other database contents accessible to the application's database account. Depending on the database account permissions, an attacker may also modify or delete records. The vulnerability is network-accessible and does not require user interaction, making automated mass scanning feasible.
Root Cause
The root cause is the absence of prepared statements or input sanitization for the id parameter in /manage_user.php. The application trusts client-supplied input and uses string concatenation to assemble SQL queries. This violates secure coding practice for database access in PHP and matches the classic [CWE-89] pattern.
Attack Vector
An attacker with low-privilege authenticated access sends a crafted HTTP request to /manage_user.php with malicious SQL payloads in the id parameter. Tools such as sqlmap can automate detection and extraction. Reference exploit details are documented in the GitHub Gist proof-of-concept and VulDB entry 273358.
No verified exploitation code is reproduced here. See the referenced PoC for technical demonstration.
Detection Methods for CVE-2024-7374
Indicators of Compromise
- HTTP requests to /manage_user.php containing SQL meta-characters in the id parameter, such as single quotes, UNION, SELECT, --, OR 1=1, or hex-encoded payloads.
- Web server access logs showing repeated id parameter variations from a single source within short intervals.
- Unexpected database errors logged by the application or MySQL after requests to manage_user.php.
- Outbound data transfers from the web server correlated with anomalous query response sizes.
Detection Strategies
- Deploy web application firewall (WAF) rules that match SQL injection signatures against the id parameter on /manage_user.php.
- Enable MySQL general query logging temporarily to identify malformed or suspicious queries originating from the application.
- Correlate authenticated session activity with abnormal database read volumes on user-related tables.
- Hunt for known PoC URI patterns published in the referenced GitHub Gist across historical web logs.
Monitoring Recommendations
- Forward web server and database logs to a centralized analytics platform for query pattern analysis.
- Alert on HTTP 500 responses from /manage_user.php correlated with parameter tampering.
- Track authenticated user sessions that issue unusually high request rates to administrative endpoints.
How to Mitigate CVE-2024-7374
Immediate Actions Required
- Remove or restrict network access to the Simple Realtime Quiz System 1.0 if it is exposed to untrusted networks.
- Place the application behind a WAF with SQL injection signatures enabled for the id parameter on manage_user.php.
- Rotate credentials for any accounts stored in the application database, since data exposure must be assumed where the PoC has been used.
- Review web server logs for prior exploitation attempts using the indicators above.
Patch Information
No official vendor patch is listed in the NVD record or VulDB entry at the time of publication. SourceCodester has not published a fixed release for Simple Realtime Quiz System 1.0. Organizations should monitor the VulDB advisory for updates and consider migrating to an actively maintained application.
Workarounds
- Modify /manage_user.php to use parameterized queries via PHP Data Objects (PDO) or mysqli prepared statements for the id parameter.
- Apply server-side input validation to enforce that id is a numeric integer before any database interaction.
- Restrict the database account used by the application to least-privilege permissions, denying DROP, ALTER, and cross-database access.
- Disable the affected endpoint until secure code changes are applied if the application is non-essential.
# Example WAF rule (ModSecurity) to block SQL meta-characters in the id parameter
SecRule REQUEST_URI "@beginsWith /manage_user.php" \
"chain,phase:2,deny,status:403,id:1007374,msg:'CVE-2024-7374 SQLi attempt'"
SecRule ARGS:id "@rx (?i)(union|select|--|';|or\s+1=1|sleep\()" "t:none,t:urlDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
