CVE-2024-7377 Overview
CVE-2024-7377 is a SQL injection vulnerability in SourceCodester Simple Realtime Quiz System 1.0, developed by oretnom23. The flaw exists in the /view_result.php script, where the qid parameter is passed directly into a database query without sanitization [CWE-89]. Remote attackers with low privileges can manipulate the qid argument to inject arbitrary SQL statements. The exploit has been publicly disclosed, increasing the risk of opportunistic attacks against exposed deployments. The vulnerability was tracked as VulDB entry VDB-273361 and published to NVD on August 2, 2024.
Critical Impact
Authenticated remote attackers can inject SQL through the qid parameter in /view_result.php, exposing quiz data, user records, and credentials stored in the backend database.
Affected Products
- SourceCodester Simple Realtime Quiz System 1.0
- Vendor: oretnom23
- CPE: cpe:2.3:a:oretnom23:simple_realtime_quiz_system:1.0
Discovery Timeline
- 2024-08-02 - CVE-2024-7377 published to NVD
- 2024-08-02 - Public proof-of-concept disclosed via GitHub Gist and VulDB submission #383525
- 2024-08-09 - Last updated in NVD database
Technical Details for CVE-2024-7377
Vulnerability Analysis
The vulnerability resides in /view_result.php, a script that displays quiz results based on a quiz identifier supplied through the qid HTTP request parameter. The application concatenates the user-supplied qid value directly into a backend SQL query without parameterization or input validation. An authenticated attacker can submit crafted values that alter query logic, append UNION SELECT statements, or invoke time-based blind injection payloads.
Successful exploitation enables attackers to read arbitrary database tables, including stored credentials, session tokens, and quiz administrative records. Depending on the database user's privileges, attackers can also modify or delete records. The attack requires only network access to the application and a low-privilege account, with no user interaction required.
Root Cause
The root cause is improper neutralization of special elements used in SQL commands [CWE-89]. The PHP code in view_result.php treats the qid parameter as trusted input and embeds it directly into a dynamic SQL string rather than using prepared statements with bound parameters.
Attack Vector
An attacker sends an HTTP request to /view_result.php with a malicious qid query string value. Typical payloads include boolean-based, error-based, and UNION-based SQL injection techniques. Because the exploit is publicly documented in the GitHub Gist PoC and indexed in VulDB #273361, automated scanners and opportunistic attackers can reproduce the attack with minimal effort.
No verified sanitized exploitation code is reproduced here. Refer to the linked references for technical proof-of-concept details.
Detection Methods for CVE-2024-7377
Indicators of Compromise
- HTTP requests to /view_result.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP(, or comment sequences (--, /*) within the qid parameter.
- Web server access logs showing abnormally long qid values or non-numeric content where an integer is expected.
- Database error messages logged by the PHP application referencing syntax errors near the qid value.
- Unexpected outbound queries from the database service or sudden spikes in row reads against quiz-related tables.
Detection Strategies
- Deploy web application firewall (WAF) rules that match SQL injection signatures targeting the qid parameter on /view_result.php.
- Enable database query logging and alert on queries containing tautologies, stacked statements, or UNION operators originating from the quiz application service account.
- Correlate web access logs with database audit logs to identify request-to-query patterns consistent with injection attempts.
Monitoring Recommendations
- Monitor authentication logs for low-privilege accounts that suddenly issue large volumes of view_result.php requests.
- Track HTTP 500 responses from the application, which often accompany failed SQL injection probing.
- Alert on egress traffic from the database host to unexpected destinations, which can indicate exfiltration following successful injection.
How to Mitigate CVE-2024-7377
Immediate Actions Required
- Restrict network exposure of the Simple Realtime Quiz System to trusted networks until a vendor fix is applied.
- Disable or remove the /view_result.php endpoint if quiz result functionality is not required in production.
- Rotate database credentials and review database audit logs for evidence of prior exploitation.
- Enforce least privilege on the database account used by the application to limit the impact of successful injection.
Patch Information
No vendor patch is currently listed in the NVD references for CVE-2024-7377. Administrators should monitor the SourceCodester project page and VulDB entry #273361 for updates. In the absence of an official fix, organizations should apply compensating controls or migrate to a maintained quiz platform.
Workarounds
- Implement a WAF rule that blocks non-integer values submitted to the qid parameter on /view_result.php.
- Apply input validation at a reverse proxy layer to reject requests where qid contains SQL keywords or special characters.
- Move the application behind authentication-required network segmentation, such as a VPN or zero trust gateway.
- Replace the vulnerable query with a prepared statement if source code modification is permitted by the deployment.
# Example ModSecurity rule to block non-numeric qid values on view_result.php
SecRule REQUEST_URI "@beginsWith /view_result.php" \
"chain,phase:2,deny,status:403,id:1007377,msg:'CVE-2024-7377 SQLi attempt'"
SecRule ARGS:qid "!@rx ^[0-9]+$" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
