CVE-2023-24202 – Raffle Draw System v1.0 contains a local file i... (How to Fix)

Q: What is the severity of CVE-2023-24202?

CVE-2023-24202 has a CVSS score of 9.8 (CRITICAL). Raffle Draw System v1.0 contains a local file inclusion vulnerability in the page parameter of index.php. This allows attackers to read arbitrary files from the server, potentially exposing sensitive data. Anyone using this specific version of the software is affected.

📋 TL;DR

Raffle Draw System v1.0 contains a local file inclusion vulnerability in the page parameter of index.php. This allows attackers to read arbitrary files from the server, potentially exposing sensitive data. Anyone using this specific version of the software is affected.

💻 Affected Systems

Products:

Raffle Draw System

Versions: v1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installation with no configuration changes needed.

📦 What is this software?

Raffle Draw System by Oretnom23

View all CVEs affecting Raffle Draw System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through reading sensitive files like /etc/passwd, database credentials, or session files, potentially leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive configuration files, source code, or user data stored on the server.

🟢

If Mitigated

Limited impact with proper file permissions and input validation preventing directory traversal.

🌐 Internet-Facing: HIGH - Directly exploitable via web requests without authentication.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required, no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch exists. Remove or replace the vulnerable software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to restrict page parameter to allowed values only

Modify index.php to validate page parameter against whitelist

Web Application Firewall Rule

all

Block requests with directory traversal patterns in page parameter

Add WAF rule to detect ../ patterns in URL parameters

🧯 If You Can't Patch

Remove Raffle Draw System v1.0 from production immediately
Isolate affected systems from network access until replacement

🔍 How to Verify

Check if Vulnerable:

Test by accessing index.php?page=../../../../etc/passwd and checking for file contents in response

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Attempt same LFI test after fixes - should return error or default page

📡 Detection & Monitoring

Log Indicators:

HTTP requests with ../ patterns in page parameter
Unusual file access patterns from web logs

Network Indicators:

HTTP GET requests with directory traversal sequences

SIEM Query:

web.url:*../* AND web.param.page:*../*

📊 Metadata

CVE ID: CVE-2023-24202

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 6, 2023

Last Updated: March 26, 2025

🔗 References

https://github.com/xiumulty/CVE/blob/main/Raffle%20draw%20system%20v1.0/lfi%20in%20index.php.md Exploit,Third Party Advisory
https://www.sourcecodester.com/php/15951/raffle-draw-system-using-php-and-javascript-free-source-code.html Product
https://github.com/xiumulty/CVE/blob/main/Raffle%20draw%20system%20v1.0/lfi%20in%20index.php.md Exploit,Third Party Advisory
https://www.sourcecodester.com/php/15951/raffle-draw-system-using-php-and-javascript-free-source-code.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24202, you might also want to check these: