CVE-2024-8345 Overview
CVE-2024-8345 is a SQL injection vulnerability in SourceCodester Music Gallery Site 1.0, developed by oretnom23. The flaw resides in the /classes/Users.php?f=delete endpoint, where the id parameter is concatenated into a SQL query without proper sanitization. Remote attackers with low privileges can manipulate the id argument to inject arbitrary SQL statements. The exploit has been publicly disclosed, increasing the risk of opportunistic attacks against exposed installations. This issue is categorized under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated remote attackers can inject SQL commands through the id parameter, potentially exposing or modifying records in the application database.
Affected Products
- SourceCodester Music Gallery Site 1.0
- oretnom23 music_gallery_site version 1.0
- Deployments using the vulnerable /classes/Users.php handler
Discovery Timeline
- 2024-08-30 - CVE-2024-8345 published to NVD
- 2024-09-04 - Last updated in NVD database
Technical Details for CVE-2024-8345
Vulnerability Analysis
The vulnerability affects the user deletion functionality exposed through /classes/Users.php?f=delete. The handler accepts the id HTTP parameter and incorporates it directly into a SQL DELETE statement without parameterized queries or input validation. An attacker authenticated with low-level privileges can supply crafted input that breaks out of the intended query context. This enables execution of arbitrary SQL syntax against the backend MySQL database used by the Music Gallery Site application. Because the attack is reachable over the network and requires no user interaction, automated scanners and exploitation frameworks can identify and weaponize the flaw against exposed instances.
Root Cause
The root cause is the failure to use prepared statements or input sanitization when constructing the SQL DELETE statement in the delete action of Users.php. The id argument is interpolated into the query string directly. This pattern matches [CWE-89] and reflects an insecure coding practice common in PHP applications that concatenate user-controlled values into SQL queries.
Attack Vector
An attacker sends an HTTP request to /classes/Users.php?f=delete with a malicious payload in the id parameter. The injected SQL is appended to the backend query and executed against the database. Exploitation requires network access to the application and a low-privilege account capable of invoking the delete function. Successful injection can be used to extract data via boolean-based, time-based, or UNION-based techniques, or to modify and remove records. See the public proof-of-concept documentation and VulDB entry #276224 for additional technical context.
Detection Methods for CVE-2024-8345
Indicators of Compromise
- HTTP requests to /classes/Users.php?f=delete containing SQL metacharacters such as single quotes, UNION, SLEEP(, or -- in the id parameter
- Unexpected DELETE operations or error messages in MySQL query logs originating from the Music Gallery Site application
- Web access logs showing repeated probing of /classes/Users.php from a single source IP
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect query parameters for SQL injection patterns on the Users.php endpoint
- Enable MySQL general query logging and alert on anomalous DELETE statements containing tautologies or stacked queries
- Correlate authentication events with subsequent requests to the delete handler to surface low-privilege accounts exhibiting injection behavior
Monitoring Recommendations
- Monitor outbound database traffic for unusual data egress volumes that may indicate UNION-based extraction
- Alert on HTTP 500 responses and PHP errors emitted from /classes/Users.php, which often accompany failed injection attempts
- Track application user accounts with anomalous request rates against /classes/Users.php?f=delete
How to Mitigate CVE-2024-8345
Immediate Actions Required
- Restrict network access to the Music Gallery Site application until a fix is applied, ideally placing it behind authenticated VPN access
- Audit application user accounts and revoke unnecessary privileges that allow invoking the delete action
- Enable a WAF with SQL injection signatures in front of the application as a compensating control
Patch Information
At the time of publication, no vendor advisory or official patch is available from oretnom23 or SourceCodester for CVE-2024-8345. Administrators should monitor the SourceCodester project page and the VulDB record for updates. Until an official fix is released, organizations should treat the application as vulnerable and apply the workarounds below.
Workarounds
- Modify /classes/Users.php to use parameterized queries (PDO prepared statements or mysqli_stmt_bind_param) for the id parameter
- Validate that the id argument is a positive integer before passing it to any SQL query
- Apply least-privilege configuration to the database account used by the application, removing the ability to read tables unrelated to the delete operation
- Deploy ModSecurity with the OWASP Core Rule Set to block common SQL injection payloads against the affected endpoint
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
