CVE-2024-11967
📋 TL;DR
This critical SQL injection vulnerability in PHPGurukul Complaint Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the email parameter in the password reset function. Attackers can potentially access, modify, or delete database contents. All systems running the affected version are vulnerable.
💻 Affected Systems
- PHPGurukul Complaint Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized access to sensitive complaint data, user information extraction, and potential administrative account takeover.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.
🎯 Exploit Status
Exploit details are publicly available on GitHub. SQL injection via email parameter requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://phpgurukul.com/
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. If no patch available, implement workarounds immediately. 3. Consider replacing with alternative software if vendor is unresponsive.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to ensure email parameter contains only valid email characters before processing.
// PHP example: if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) { die('Invalid email'); }
Parameterized Query Implementation
allReplace direct SQL concatenation with prepared statements using PDO or mysqli.
// PHP PDO example: $stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?'); $stmt->execute([$email]);
Access Restriction
linuxTemporarily disable or restrict access to /admin/reset-password.php via web server configuration.
# Apache: RedirectMatch 403 ^/admin/reset-password\.php$
# Nginx: location ~ ^/admin/reset-password\.php$ { return 403; }
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the reset-password endpoint.
- Isolate the system from internet access and restrict internal access to authorized users only.
🔍 How to Verify
Check if Vulnerable:
Test the /admin/reset-password.php endpoint with SQL injection payloads in the email parameter (e.g., email=test' OR '1'='1). Monitor for database errors or unexpected responses.Check Version:
Check the software version in the admin panel or review the source code for version identifiers.Verify Fix Applied:
After implementing fixes, attempt the same SQL injection tests and verify they are blocked or sanitized properly.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed password reset attempts with suspicious email patterns
- Requests to /admin/reset-password.php with special characters in parameters
Network Indicators:
- HTTP POST requests to reset-password.php containing SQL keywords (UNION, SELECT, etc.) in parameters
SIEM Query:
source="web_logs" AND uri="/admin/reset-password.php" AND (email="*'*" OR email="*--*" OR email="*UNION*" OR email="*SELECT*")