CVE-2024-7811 Overview
CVE-2024-7811 is a SQL injection vulnerability in SourceCodester Daily Expenses Monitoring App 1.0. The flaw resides in the /endpoint/delete-expense.php script, where the expense argument is incorporated into a database query without proper sanitization. Remote attackers can manipulate this parameter to inject arbitrary SQL statements. The exploit has been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed instances. The weakness is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can manipulate the expense parameter in delete-expense.php to execute arbitrary SQL queries against the backend database, leading to data tampering, unauthorized deletion, or information disclosure.
Affected Products
- SourceCodester Daily Expenses Monitoring App 1.0
- Vendor component: rems:daily_expenses_monitoring_app
- Affected file: /endpoint/delete-expense.php
Discovery Timeline
- 2024-08-15 - CVE-2024-7811 published to NVD
- 2024-08-19 - Last updated in NVD database
- Public proof-of-concept disclosed via GitHub SQL Injection Vulnerability writeup and tracked as VulDB #274707
Technical Details for CVE-2024-7811
Vulnerability Analysis
The Daily Expenses Monitoring App is a PHP/MySQL web application used to track personal or organizational expenditures. The delete-expense.php endpoint accepts an expense request parameter that identifies the record targeted for deletion. The application concatenates this value directly into a SQL statement instead of using parameterized queries or prepared statements.
An attacker who can reach the endpoint over the network with low-privilege credentials can supply a crafted expense value containing SQL syntax. The injected payload is executed by the MySQL backend in the security context of the application database user. Depending on the database privileges, this enables record manipulation, schema enumeration through UNION-based payloads, and potential extraction of credentials or other application data.
The EPSS data places exploitation probability at 0.134% (percentile 32.475), but public disclosure of the proof-of-concept raises practical risk for any internet-exposed instance.
Root Cause
The root cause is the absence of input validation and parameterized queries in delete-expense.php. The expense parameter flows from the HTTP request directly into a SQL DELETE statement. This matches the classic pattern for [CWE-89] SQL injection, where untrusted input is treated as code rather than data.
Attack Vector
The attack vector is network-based and requires no user interaction. An attacker authenticated to the application sends a crafted HTTP request to /endpoint/delete-expense.php with a malicious expense parameter. Because the vulnerable parameter is parsed server-side without sanitization, the database executes the injected SQL clauses. Refer to the publicly disclosed proof-of-concept for the exact payload structure.
Detection Methods for CVE-2024-7811
Indicators of Compromise
- HTTP requests to /endpoint/delete-expense.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences (--, #) in the expense parameter
- Unexpected DELETE, UPDATE, or SELECT queries in MySQL general or slow query logs originating from the application user
- Database errors or anomalous response times correlated with requests to the delete endpoint
Detection Strategies
- Inspect web server access logs for delete-expense.php requests where the expense parameter is non-numeric or contains URL-encoded SQL syntax
- Deploy a web application firewall rule that blocks SQL injection signatures targeting query string and POST parameters on the application's PHP endpoints
- Enable database query logging and alert on multi-statement queries or queries containing INFORMATION_SCHEMA references from the application account
Monitoring Recommendations
- Forward web server, PHP error, and MySQL logs to a centralized analytics platform for correlation and retention
- Baseline normal request patterns for the expense parameter and alert on deviations such as unusual length or non-integer values
- Monitor for sudden spikes in failed or successful DELETE operations against the expenses table
How to Mitigate CVE-2024-7811
Immediate Actions Required
- Restrict network access to the Daily Expenses Monitoring App to trusted internal networks or behind a VPN until a fix is applied
- Audit existing data for unauthorized modifications or deletions in the expenses table
- Rotate database credentials used by the application if compromise is suspected
- Apply least-privilege principles to the database account so it cannot read or modify tables beyond what the application requires
Patch Information
No official vendor patch is listed in the NVD entry or referenced advisories at the time of writing. Organizations running SourceCodester Daily Expenses Monitoring App 1.0 should consult VulDB #274707 for updates and consider applying source-level fixes by replacing the vulnerable query in delete-expense.php with a prepared statement using PDO or mysqli parameter binding.
Workarounds
- Modify delete-expense.php to cast the expense parameter to an integer before use, for example intval($_REQUEST['expense']), and use prepared statements with bound parameters
- Deploy a web application firewall in front of the application with SQL injection rule sets enabled
- Disable or remove the application from production environments if it is not business-critical, given the absence of an upstream patch
# Configuration example: Apache mod_security rule to block SQLi patterns on the vulnerable endpoint
SecRule REQUEST_URI "@contains /endpoint/delete-expense.php" \
"id:1007811,phase:2,deny,status:403,\
chain,msg:'Possible CVE-2024-7811 SQLi attempt'"
SecRule ARGS:expense "@rx (?i)(union|select|sleep|--|';|/\*)" "t:none,t:urlDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
