CVE-2024-10156 – This critical SQL injection vulnerability in PH... (How to Fix)

Q: What is the severity of CVE-2024-10156?

CVE-2024-10156 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in PHPGurukul Boat Booking System 1.0 allows attackers to execute arbitrary SQL commands via the username parameter on the admin sign-in page. Attackers can potentially access, modify, or delete database content, including sensitive booking information and admin credentials. All installations of version 1.0 with the vulnerable component exposed are affected.

📋 TL;DR

This critical SQL injection vulnerability in PHPGurukul Boat Booking System 1.0 allows attackers to execute arbitrary SQL commands via the username parameter on the admin sign-in page. Attackers can potentially access, modify, or delete database content, including sensitive booking information and admin credentials. All installations of version 1.0 with the vulnerable component exposed are affected.

💻 Affected Systems

Products:

PHPGurukul Boat Booking System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. Any system with the /admin/index.php file accessible is vulnerable.

📦 What is this software?

Boat Booking System by Phpgurukul

View all CVEs affecting Boat Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, admin credential disclosure, system takeover, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized access to booking data, customer information exposure, and potential privilege escalation to admin accounts.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules block malicious payloads, though underlying vulnerability remains.

🌐 Internet-Facing: HIGH - The vulnerable admin page is typically internet-facing, allowing remote exploitation without authentication.

🏢 Internal Only: MEDIUM - If admin interface is restricted internally, risk reduces but still exists for internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://phpgurukul.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries or input validation in /admin/index.php, or migrate to a different booking system.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize username input before SQL processing

Edit /admin/index.php to add: $username = mysqli_real_escape_string($connection, $_POST['username']);

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting the admin sign-in page

Add WAF rule: Detect and block requests containing SQL keywords like UNION, SELECT, INSERT targeting /admin/index.php

🧯 If You Can't Patch

Restrict access to /admin/ directory using IP whitelisting or VPN-only access
Implement rate limiting and monitoring on the admin sign-in page for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Test the admin sign-in page with SQL injection payloads like: admin' OR '1'='1

Check Version:

Check system documentation or contact vendor to confirm version 1.0 is installed

Verify Fix Applied:

Attempt SQL injection tests after implementing fixes; successful login should only occur with valid credentials

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts with SQL keywords in username field
Unusual database queries from admin interface

Network Indicators:

HTTP POST requests to /admin/index.php containing SQL injection patterns

SIEM Query:

source="web_logs" AND uri="/admin/index.php" AND (username CONTAINS "UNION" OR username CONTAINS "SELECT" OR username CONTAINS "--")

📊 Metadata

CVE ID: CVE-2024-10156

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: October 19, 2024

Last Updated: October 22, 2024

🔗 References

https://github.com/jadu101/CVE/blob/main/phpgurukul_boat_booking_system_admin_index_sqli.md Exploit,Third Party Advisory
https://phpgurukul.com/ Product
https://vuldb.com/?ctiid.280942 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.280942 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.425398 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10156, you might also want to check these: