CVE-2024-9974 Overview
CVE-2024-9974 is a SQL injection vulnerability in SourceCodester Online Eyewear Shop 1.0, developed by oretnom23. The flaw resides in the classes/Master.php?f=add_to_card endpoint, where the product_id parameter is processed without proper sanitization. Attackers can manipulate this parameter through crafted POST requests to inject arbitrary SQL statements into backend database queries.
The vulnerability is remotely exploitable and requires only low privileges. A public proof-of-concept has been disclosed, increasing the risk of opportunistic exploitation against exposed installations. The weakness is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Remote attackers with low-privilege access can inject arbitrary SQL through the product_id parameter, potentially exposing database contents and integrity in Online Eyewear Shop 1.0 deployments.
Affected Products
- SourceCodester Online Eyewear Shop 1.0
- Vendor: oretnom23
- CPE: cpe:2.3:a:oretnom23:online_eyewear_shop:1.0:*:*:*:*:*:*:*
Discovery Timeline
- 2024-10-15 - CVE-2024-9974 published to NVD
- 2024-10-15 - Last updated in NVD database
- Public Disclosure - Proof-of-concept released via GitHub Gist PoC Code
Technical Details for CVE-2024-9974
Vulnerability Analysis
The vulnerability exists within the POST request handler at classes/Master.php?f=add_to_card. The add_to_card function accepts a product_id parameter from the HTTP POST body and concatenates it directly into a SQL query. The application performs no input validation, type casting, or parameterized query binding before executing the statement against the backend database.
This pattern is characteristic of CWE-89 SQL injection flaws found in many PHP-based e-commerce demos. Because the cart functionality is reachable by authenticated users with minimal privileges, the attack surface includes any account that can browse products. Successful injection can disclose database contents, modify cart state, and potentially expose customer credentials stored in the same schema.
Root Cause
The root cause is missing input sanitization and the absence of prepared statements in the add_to_card handler. The PHP code builds SQL queries through string concatenation using untrusted user input. This bypasses any type checking provided by the MySQL driver and allows attacker-controlled SQL fragments to alter query semantics.
Attack Vector
An attacker submits a POST request to classes/Master.php?f=add_to_card with a malicious payload in the product_id field. Typical payloads include UNION-based extraction queries, boolean-based blind injection, or time-based blind injection using SLEEP(). The attack requires network access to the application and a low-privilege session, but no user interaction. Public PoC code is available on GitHub Gist, lowering the barrier to exploitation.
For technical details, refer to the GitHub Gist PoC Code and VulDB entry #280339.
Detection Methods for CVE-2024-9974
Indicators of Compromise
- POST requests to classes/Master.php?f=add_to_card containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP(, or comment sequences (--, #, /*) in the product_id field.
- Unusual database errors logged by the application referencing the cart functionality.
- Anomalous response times on the add_to_card endpoint indicating time-based blind injection probes.
- Web server access logs showing repeated add_to_card POSTs from the same source with varying product_id values.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect POST bodies for SQL injection signatures targeting the product_id parameter.
- Enable database query logging and alert on syntax errors originating from the add_to_card code path.
- Monitor for product_id values that are non-numeric or exceed expected length, since legitimate values are integer identifiers.
Monitoring Recommendations
- Correlate authentication events with cart endpoint activity to identify low-privilege accounts exhibiting injection behavior.
- Track outbound database connections and query volumes for sudden spikes consistent with mass data extraction.
- Retain HTTP request and response logs for the affected endpoint for forensic review.
How to Mitigate CVE-2024-9974
Immediate Actions Required
- Restrict network access to Online Eyewear Shop 1.0 deployments until a vendor patch is available.
- Place the application behind a WAF configured with SQL injection rule sets.
- Audit the classes/Master.php file and refactor add_to_card to use parameterized queries with PDO or mysqli prepared statements.
- Review database accounts used by the application and apply least-privilege permissions.
Patch Information
No official vendor patch is listed in the NVD references for CVE-2024-9974. Operators should monitor the SourceCodester project page for updates. Until an official fix is released, code-level remediation by application owners is required.
Workarounds
- Replace string-concatenated SQL in the add_to_card function with prepared statements that bind product_id as an integer.
- Add server-side input validation to reject non-numeric product_id values before they reach the database layer.
- Disable the cart endpoint or take the application offline if it is exposed to untrusted networks and cannot be patched promptly.
# Example: enforce integer validation in PHP before query execution
# $product_id = filter_input(INPUT_POST, 'product_id', FILTER_VALIDATE_INT);
# if ($product_id === false) { http_response_code(400); exit('Invalid product_id'); }
# $stmt = $pdo->prepare('INSERT INTO cart (product_id, user_id) VALUES (:pid, :uid)');
# $stmt->execute([':pid' => $product_id, ':uid' => $user_id]);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
