CVE-2024-11962
📋 TL;DR
This critical SQL injection vulnerability in Simple Car Rental System 1.0 allows attackers to execute arbitrary SQL commands through the uname parameter in /login.php. Attackers can potentially steal sensitive data, modify database contents, or gain unauthorized access. All deployments of Simple Car Rental System 1.0 with the vulnerable login.php file are affected.
💻 Affected Systems
- Simple Car Rental System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, authentication bypass, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized access to the application, extraction of sensitive user data (credentials, personal information), and potential modification of rental records.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permissions restricting dangerous operations.
🎯 Exploit Status
Exploit details are publicly available on GitHub. SQL injection via login forms is a well-understood attack vector with many automated tools available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
No official patch available. Consider migrating to a maintained alternative or implementing manual fixes as described in workarounds.
🔧 Temporary Workarounds
Implement Parameterized Queries
allReplace direct string concatenation in SQL queries with prepared statements or parameterized queries to prevent SQL injection.
Edit /login.php to use prepared statements (e.g., mysqli_prepare, PDO::prepare) instead of direct variable insertion in SQL.
Input Validation and Sanitization
allAdd server-side validation to reject malicious input in the uname parameter.
Add PHP validation: if (!preg_match('/^[a-zA-Z0-9_]+$/', $_POST['uname'])) { die('Invalid username'); }
Web Application Firewall (WAF)
allDeploy a WAF to block SQL injection attempts at the network layer.
Configure WAF rules to detect and block SQL injection patterns in POST requests to /login.php
🧯 If You Can't Patch
- Isolate the system behind a firewall with strict access controls and monitor all traffic to /login.php.
- Implement strong authentication mechanisms and limit database user permissions to minimize potential damage.
🔍 How to Verify
Check if Vulnerable:
Test the login form with SQL injection payloads like ' OR '1'='1 in the username field and observe if authentication bypass occurs or error messages reveal SQL details.Check Version:
Check the software version in the application interface or review the source code files for version indicators.Verify Fix Applied:
After applying fixes, retest with SQL injection payloads to confirm they are rejected or properly handled without allowing unauthorized access.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs, multiple failed login attempts with SQL-like patterns in username field, successful logins from unexpected IPs.
Network Indicators:
- HTTP POST requests to /login.php containing SQL keywords (UNION, SELECT, etc.) in parameters, abnormal traffic patterns to the login endpoint.
SIEM Query:
source="web_logs" AND uri="/login.php" AND (post_data LIKE "%UNION%" OR post_data LIKE "%SELECT%" OR post_data LIKE "%OR%1%1%")