CVE-2024-8335 Overview
CVE-2024-8335 is a SQL injection vulnerability in OpenRapid RapidCMS versions up to 1.3.1. The flaw resides in the /resource/runlogon.php script, where the username parameter is passed to a backend SQL query without proper sanitization. Attackers can exploit the issue remotely by injecting crafted SQL syntax into the username argument. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed installations. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Remote attackers with low privileges can manipulate the username parameter to inject arbitrary SQL statements, leading to unauthorized data access, modification, or authentication bypass against RapidCMS deployments.
Affected Products
- OpenRapid RapidCMS versions up to and including 1.3.1
- Deployments exposing /resource/runlogon.php to untrusted networks
- Web applications built on the vulnerable RapidCMS codebase
Discovery Timeline
- 2024-08-30 - CVE-2024-8335 published to NVD
- 2024-09-19 - Last updated in NVD database
Technical Details for CVE-2024-8335
Vulnerability Analysis
The vulnerability stems from improper input handling in the authentication routine of runlogon.php. The script accepts a username parameter from the HTTP request and concatenates it directly into a SQL query. This pattern allows attackers to break out of the intended query context and append arbitrary SQL clauses. Because the vulnerable endpoint is reachable over the network without prior authentication context beyond minimal privileges, exploitation requires no user interaction.
The EPSS score is 0.097%, indicating low observed exploitation probability at present. However, public disclosure of the proof of concept materially raises operational risk for unpatched, internet-facing deployments.
Root Cause
The root cause is the absence of parameterized queries or input validation around the username field. RapidCMS constructs SQL statements via string concatenation, leaving the query parser unable to distinguish data from code. Any single-quote, comment, or UNION token supplied by the attacker is interpreted as part of the SQL statement.
Attack Vector
An attacker sends a crafted HTTP request to /resource/runlogon.php with a malicious username value. The injected payload can extract database contents, bypass authentication by manipulating boolean conditions, or enumerate schema metadata using time-based or error-based techniques. The attack is network-reachable and does not require user interaction.
No verified exploit code is published in trusted repositories. Technical analysis is available in the Gitee SQL Injection Analysis and the VulDB CTI Report #276210.
Detection Methods for CVE-2024-8335
Indicators of Compromise
- HTTP POST or GET requests to /resource/runlogon.php containing SQL metacharacters such as ', --, UNION, SLEEP(, or OR 1=1 in the username parameter
- Unusual database error responses returned from RapidCMS login endpoints
- Spikes in authentication attempts against runlogon.php from a single source IP
Detection Strategies
- Inspect web server access logs for malformed or encoded values in the username query string or POST body targeting runlogon.php
- Deploy WAF signatures that flag classic SQL injection payloads against the RapidCMS authentication path
- Correlate database audit logs with web requests to identify anomalous query patterns originating from the application service account
Monitoring Recommendations
- Enable verbose logging on the database server to capture queries originating from RapidCMS and alert on UNION SELECT or stacked-query patterns
- Monitor outbound traffic from the web host for data exfiltration following suspicious login activity
- Track failed and successful authentication events against RapidCMS to detect injection-based authentication bypass
How to Mitigate CVE-2024-8335
Immediate Actions Required
- Restrict network access to RapidCMS administrative endpoints, especially /resource/runlogon.php, using IP allowlisting or VPN gating
- Deploy a web application firewall rule blocking SQL injection patterns targeting the username parameter
- Audit the RapidCMS database account and reduce its privileges to the minimum required for application function
Patch Information
No vendor patch is referenced in the NVD entry or VulDB submission at the time of publication. Operators should monitor the OpenRapid project repository and VulDB #276210 for remediation updates. Until a fix is available, treat all RapidCMS 1.3.1 and earlier installations as exposed.
Workarounds
- Place RapidCMS behind a reverse proxy that enforces strict input validation on the username parameter
- Disable or remove /resource/runlogon.php if the affected functionality is not required in your deployment
- Apply database-layer controls such as prepared statement enforcement or query allowlisting via a database firewall
# Example ModSecurity rule to block SQLi attempts against runlogon.php
SecRule REQUEST_URI "@contains /resource/runlogon.php" \
"id:1008335,phase:2,deny,status:403,\
chain,msg:'CVE-2024-8335 RapidCMS SQLi attempt'"
SecRule ARGS:username "@detectSQLi" \
"t:none,t:urlDecodeUni,t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
