CVE-2024-7378 Overview
CVE-2024-7378 is a SQL injection vulnerability in SourceCodester Simple Realtime Quiz System 1.0. The flaw resides in the /manage_question.php script, where the id parameter is passed directly into a database query without proper sanitization. Attackers can manipulate this parameter to inject arbitrary SQL statements over the network. The vulnerability requires low privileges and no user interaction, making remote exploitation straightforward. A public proof-of-concept has been disclosed, increasing the risk of opportunistic exploitation against exposed installations.
Critical Impact
Remote authenticated attackers can inject SQL through the id parameter of /manage_question.php, exposing quiz data and potentially the underlying database.
Affected Products
- Oretnom23 (SourceCodester) Simple Realtime Quiz System 1.0
- Component: /manage_question.php
- CPE: cpe:2.3:a:oretnom23:simple_realtime_quiz_system:1.0
Discovery Timeline
- 2024-08-02 - CVE-2024-7378 published to NVD
- 2024-08-09 - Last updated in NVD database
Technical Details for CVE-2024-7378
Vulnerability Analysis
The vulnerability is classified as SQL Injection [CWE-89]. The /manage_question.php endpoint in the Simple Realtime Quiz System accepts an id argument from the HTTP request and concatenates it into a SQL query. Because the application does not validate or parameterize this input, attackers can break out of the intended query context. The result is arbitrary SQL execution under the privileges of the application's database user.
An attacker with low-privilege access to the application can read, modify, or delete records in the quiz database. Depending on the database user's permissions, the attack may extend to other databases on the same server. The EPSS score is 0.197% (percentile 41.5), reflecting limited but non-trivial exploitation probability.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command. The application builds queries by string concatenation rather than using prepared statements or parameterized queries. No input filtering, type casting, or allowlist validation is applied to the id parameter before it reaches the SQL engine.
Attack Vector
The attack vector is network-based and requires low privileges to reach the /manage_question.php endpoint. An attacker submits a crafted value for the id parameter, typically appending SQL operators such as UNION SELECT or boolean-based payloads. The public proof-of-concept hosted on GitHub Gist demonstrates manipulation of the id argument. Refer to the GitHub Gist PoC and VulDB entry #273362 for technical details.
Detection Methods for CVE-2024-7378
Indicators of Compromise
- HTTP requests to /manage_question.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the id parameter.
- Web server access logs showing repeated requests to manage_question.php with varying id values and abnormal response sizes.
- Unexpected database errors or stack traces returned in application responses.
- New or modified records in the questions table without corresponding administrator activity.
Detection Strategies
- Deploy a web application firewall (WAF) rule set that inspects query string and POST parameters for SQL injection signatures targeting manage_question.php.
- Enable database query logging and alert on queries containing tautologies such as 1=1 or stacked statements originating from the quiz application.
- Correlate authentication events with subsequent requests to administrative endpoints to detect low-privilege accounts probing the vulnerable parameter.
Monitoring Recommendations
- Monitor outbound traffic from the web server for data exfiltration patterns following requests to manage_question.php.
- Track failed and successful login events to the quiz application and flag accounts that immediately access question management endpoints.
- Review database audit logs for SELECT statements returning unusually large result sets or accessing tables outside the application's normal scope.
How to Mitigate CVE-2024-7378
Immediate Actions Required
- Restrict network access to the Simple Realtime Quiz System, placing it behind authentication and IP allowlists where feasible.
- Disable or remove the application if it is not business-critical, as no vendor patch has been published.
- Deploy WAF rules to block SQL injection payloads targeting the id parameter of /manage_question.php.
- Rotate database credentials used by the application and reduce that account's privileges to the minimum required.
Patch Information
No vendor advisory or official patch has been published by Oretnom23/SourceCodester at the time of NVD publication. Administrators must rely on compensating controls and code-level fixes. The recommended code fix is to replace concatenated SQL with prepared statements using PDO or mysqli bound parameters, and to cast id to an integer before use.
Workarounds
- Modify /manage_question.php locally to validate that id is a positive integer using intval() or filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT).
- Convert the affected query to a parameterized prepared statement using PDO with bindParam(':id', $id, PDO::PARAM_INT).
- Apply principle of least privilege to the database account, removing FILE, CREATE, and cross-database SELECT permissions.
- Place the application behind a reverse proxy that strips SQL metacharacters from request parameters until a vendor fix is available.
# Example WAF rule (ModSecurity) to block SQLi against manage_question.php
SecRule REQUEST_URI "@contains /manage_question.php" \
"id:1007378,phase:2,deny,status:403,\
chain,msg:'CVE-2024-7378 SQLi attempt on id parameter'"
SecRule ARGS:id "@detectSQLi" "t:none,t:urlDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
