CVE-2024-8348 Overview
CVE-2024-8348 is a SQL injection vulnerability in SourceCodester Computer Laboratory Management System 1.0, developed by oretnom23. The flaw resides in the delete_category function of /classes/Master.php?f=delete_category. Attackers can manipulate the id parameter to inject arbitrary SQL into the underlying database query. The vulnerability is remotely exploitable and requires low-privilege authentication. Public disclosure of the exploit increases the risk of opportunistic attacks against exposed instances. The issue is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can inject SQL through the id parameter of the delete_category endpoint, leading to unauthorized read, modification, or deletion of database records.
Affected Products
- SourceCodester Computer Laboratory Management System 1.0
- Vendor: oretnom23
- Vulnerable component: /classes/Master.php?f=delete_category
Discovery Timeline
- 2024-08-30 - CVE-2024-8348 published to NVD
- 2024-09-04 - Last updated in NVD database
Technical Details for CVE-2024-8348
Vulnerability Analysis
The vulnerability exists in the delete_category function within /classes/Master.php. The application accepts an id argument from the HTTP request and concatenates it directly into a SQL DELETE statement without parameterization or input sanitization. An attacker who can authenticate to the application can supply crafted SQL payloads through this parameter to alter the structure of the executed query.
Because the endpoint is reachable over the network, exploitation does not require local access or user interaction. Public disclosure of the proof of concept lowers the barrier for opportunistic attackers scanning for vulnerable deployments.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The delete_category handler trusts user-supplied input for the id parameter and embeds it directly into a SQL query string. The absence of prepared statements or input validation allows attacker-controlled SQL syntax to be parsed and executed by the database engine.
Attack Vector
The attack vector is network-based. A remote, authenticated attacker sends a crafted HTTP request to /classes/Master.php?f=delete_category with a malicious id parameter. Typical payloads use boolean-based, UNION-based, or time-based blind SQL injection techniques to enumerate the schema, extract sensitive data, or modify records. The vulnerability impacts confidentiality, integrity, and availability of the backend database.
For technical write-up details, see the GitHub Project Documentation and the VulDB entry #276230.
Detection Methods for CVE-2024-8348
Indicators of Compromise
- HTTP requests to /classes/Master.php?f=delete_category containing SQL meta-characters such as single quotes, UNION, SELECT, SLEEP, or comment sequences (--, #) in the id parameter.
- Unusually long or URL-encoded id parameter values submitted to the delete_category endpoint.
- Database error messages or anomalous query latency originating from requests to Master.php.
Detection Strategies
- Deploy web application firewall (WAF) signatures that flag SQL injection patterns targeting Master.php?f=delete_category.
- Enable verbose web server access logging and alert on non-numeric id parameter values to the affected endpoint.
- Correlate application logs with database query logs to identify malformed or anomalous DELETE statements.
Monitoring Recommendations
- Monitor authenticated user sessions for repeated requests to the delete_category function within short intervals.
- Track outbound database traffic for unexpected INFORMATION_SCHEMA queries indicating schema enumeration.
- Alert on sudden deletion of category records or integrity changes to tables referenced by the laboratory management application.
How to Mitigate CVE-2024-8348
Immediate Actions Required
- Restrict network access to the Computer Laboratory Management System using IP allowlists or VPN-only access while a fix is unavailable.
- Audit application accounts and revoke unnecessary privileges to reduce the impact of authenticated exploitation.
- Review web server and database logs for prior exploitation attempts against /classes/Master.php?f=delete_category.
Patch Information
No vendor patch has been published for CVE-2024-8348 at the time of NVD publication. The vulnerability was disclosed publicly through VulDB submission #400378 without a coordinated vendor fix. Administrators should consider discontinuing use of the affected version until an official patch is released or applying manual code fixes by replacing string concatenation with parameterized queries in the delete_category function.
Workarounds
- Modify /classes/Master.php to use prepared statements with bound parameters for the id value in the delete_category function.
- Apply server-side input validation to enforce that the id parameter contains only integer values before passing it to any SQL query.
- Deploy a WAF rule blocking SQL meta-characters in requests to the Master.php endpoint as a compensating control.
# Example ModSecurity rule to block SQLi attempts on the vulnerable endpoint
SecRule REQUEST_URI "@contains /classes/Master.php" \
"chain,phase:2,deny,status:403,id:1008348,msg:'Possible SQLi against delete_category (CVE-2024-8348)'"
SecRule ARGS:id "!@rx ^[0-9]+$" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
