CVE-2024-9009 Overview
CVE-2024-9009 is a SQL injection vulnerability in code-projects Online Quiz Site 1.0. The flaw exists in the showtest.php file, where the subid parameter is passed to a database query without proper sanitization. A remote attacker can manipulate the parameter to inject arbitrary SQL statements against the backend database.
The vulnerability requires low privileges and no user interaction. Public exploit details have been disclosed, increasing the risk of opportunistic exploitation against exposed instances. The issue is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Remote attackers can execute arbitrary SQL queries through the subid parameter in showtest.php, potentially exposing quiz data, user records, and credentials stored in the application database.
Affected Products
- code-projects Online Quiz Site 1.0
- Vendor: Fabian (code-projects.org)
- CPE: cpe:2.3:a:fabian:online_quiz_site:1.0
Discovery Timeline
- 2024-09-20 - CVE-2024-9009 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2024-9009
Vulnerability Analysis
The vulnerability resides in the showtest.php script of the Online Quiz Site 1.0 application. The script accepts the subid parameter via an HTTP request and incorporates the value directly into a SQL query. Because the input is neither validated nor parameterized, attacker-supplied SQL syntax is parsed and executed by the database engine.
Exploitation can be performed remotely over the network. The attacker needs only a low-privileged context, such as a registered quiz user or any account capable of reaching the vulnerable endpoint. Successful exploitation allows extraction of arbitrary records, modification of quiz content, and potential authentication bypass through UNION-based or boolean-based injection techniques.
The EPSS score of 0.105% places near-term exploitation probability in the lower percentile, but public disclosure of the exploit path raises the likelihood of automated scanning against exposed instances.
Root Cause
The root cause is direct concatenation of untrusted input into a SQL statement, classified under CWE-89. The application fails to use prepared statements or parameterized queries, and no input filtering is applied to the subid argument before it reaches the database driver.
Attack Vector
An attacker crafts an HTTP request to showtest.php and appends SQL payloads to the subid parameter. Network reachability to the web application is the only prerequisite. Once injected, the database executes the attacker-controlled clause and returns results within the application response, enabling data exfiltration through standard injection techniques.
No verified proof-of-concept code is referenced by NVD. See the GitHub CVE Issue Tracker and VulDB entry #278165 for additional technical context.
Detection Methods for CVE-2024-9009
Indicators of Compromise
- HTTP requests to showtest.php containing SQL metacharacters in the subid parameter such as single quotes, UNION SELECT, OR 1=1, or comment sequences like -- and #.
- Unexpected database error messages or stack traces returned in HTTP responses from showtest.php.
- Spikes in request volume to showtest.php from a single source IP or user agent associated with SQL injection tooling such as sqlmap.
Detection Strategies
- Deploy web application firewall rules that flag SQL syntax in query string parameters targeting showtest.php.
- Enable database query logging and alert on queries containing unusual UNION or stacked statement patterns against the quiz schema.
- Correlate authentication events with anomalous database read volume to identify credential or data exfiltration attempts.
Monitoring Recommendations
- Forward web server access logs and PHP error logs to a centralized logging platform for parameter-level inspection.
- Monitor outbound database connections from the application host for unusual destinations or data volumes.
- Track failed login attempts and account enumeration patterns that may follow successful injection.
How to Mitigate CVE-2024-9009
Immediate Actions Required
- Restrict network access to the Online Quiz Site application to trusted networks until a patched build is available.
- Audit web server logs for prior requests to showtest.php containing SQL injection signatures and investigate any matching sessions.
- Rotate database credentials and any application secrets that may have been exposed through the vulnerable parameter.
Patch Information
No official vendor patch is referenced in the NVD entry for CVE-2024-9009. Operators should monitor the code-projects website for vendor updates and consider migrating off Online Quiz Site 1.0 if no fix is published.
Workarounds
- Place the application behind a web application firewall configured with OWASP Core Rule Set protections for SQL injection.
- Implement server-side input validation on the subid parameter to enforce a strict numeric type before the value reaches the database layer.
- Refactor the vulnerable query in showtest.php to use parameterized statements with PDO or mysqli prepared statements.
- Apply least-privilege permissions to the database account used by the application to limit the impact of successful injection.
# Example WAF rule (ModSecurity) to block SQLi patterns on showtest.php
SecRule REQUEST_URI "@contains /showtest.php" \
"chain,deny,status:403,id:1009001,msg:'Potential SQLi targeting CVE-2024-9009'"
SecRule ARGS:subid "@detectSQLi" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
