CVE-2024-10171
📋 TL;DR
This critical SQL injection vulnerability in the Blood Bank System allows attackers to manipulate database queries through the /admin/massage.php file. Remote attackers can potentially access, modify, or delete sensitive blood bank data. All users of Blood Bank System version 1.0 and earlier are affected.
💻 Affected Systems
- Blood Bank System
📦 What is this software?
Blood Bank System by Code Projects
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or unauthorized administrative access to the entire blood bank system.
Likely Case
Extraction of sensitive donor information, patient records, or blood inventory data, potentially leading to privacy violations and system disruption.
If Mitigated
Limited data exposure if proper input validation and database permissions are implemented, with minimal operational impact.
🎯 Exploit Status
Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
1. Check vendor website for updates. 2. If no patch available, implement workarounds. 3. Consider migrating to alternative software if vendor is unresponsive.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd parameterized queries and input validation to the bid parameter in /admin/massage.php
Modify PHP code to use prepared statements: $stmt = $conn->prepare('SELECT * FROM table WHERE id = ?'); $stmt->bind_param('i', $bid);
Access Restriction
allRestrict access to /admin/massage.php to authorized users only
Add authentication check at beginning of massage.php: if(!isset($_SESSION['admin'])) { header('Location: login.php'); exit(); }
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules
- Isolate the Blood Bank System behind a reverse proxy with request filtering
🔍 How to Verify
Check if Vulnerable:
Test the /admin/massage.php endpoint with SQL injection payloads in the bid parameter (e.g., bid=1' OR '1'='1)Check Version:
Check version in system configuration files or admin panelVerify Fix Applied:
Attempt SQL injection after implementing fixes and verify no database errors or unexpected behavior occurs📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple failed login attempts followed by SQL injection patterns
- Requests to /admin/massage.php with suspicious bid parameters
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, etc.) in bid parameter
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/admin/massage.php" AND (param="bid" AND value MATCHES "'.*[Ss][Ee][Ll][Ee][Cc][Tt].*'" OR value MATCHES ".*[Uu][Nn][Ii][Oo][Nn].*")