CVE-2024-12357 – This vulnerability allows remote attackers to p... (How to Fix)

Q: What is the severity of CVE-2024-12357?

CVE-2024-12357 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows remote attackers to perform file inclusion attacks via the 'page' parameter in /index.php in SourceCodester Best House Rental Management System 1.0. Attackers can potentially read sensitive files or execute code on affected systems. All users running version 1.0 of this software are affected.

📋 TL;DR

This vulnerability allows remote attackers to perform file inclusion attacks via the 'page' parameter in /index.php in SourceCodester Best House Rental Management System 1.0. Attackers can potentially read sensitive files or execute code on affected systems. All users running version 1.0 of this software are affected.

💻 Affected Systems

Products:

SourceCodester Best House Rental Management System

Versions: 1.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PHP environment with file inclusion functions enabled (default).

📦 What is this software?

Best House Rental Management System by Mayurik

View all CVEs affecting Best House Rental Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited file system access.

🟢

If Mitigated

Limited impact with proper file permissions and web server hardening, potentially only file reading.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on Pastebin, making attacks easy to automate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider workarounds or replacing the software.

🔧 Temporary Workarounds

Input Validation for Page Parameter

all

Add strict validation to only allow specific page values in /index.php

Edit /index.php to validate the 'page' parameter against a whitelist of allowed values

Web Application Firewall Rule

all

Block requests with suspicious file paths in the page parameter

Add WAF rule to block patterns like '../', '..\\', 'php://', 'file://' in URL parameters

🧯 If You Can't Patch

Remove the system from internet-facing networks immediately
Implement strict network segmentation and access controls

🔍 How to Verify

Check if Vulnerable:

Test if /index.php?page=../../../../etc/passwd returns system files (ethical testing only)

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify that file inclusion attempts no longer work and return error pages

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /index.php with suspicious 'page' parameter values containing path traversal sequences

Network Indicators:

HTTP requests with parameters like 'page=../../../' or 'page=php://'

SIEM Query:

web.url:*index.php* AND web.param.page:*../* OR web.param.page:*..\\* OR web.param.page:*://*

📊 Metadata

CVE ID: CVE-2024-12357

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-73

Published: December 9, 2024

Last Updated: December 10, 2024

🔗 References

https://pastebin.com/Qupf8YbH Permissions Required
https://vuldb.com/?ctiid.287276 Permissions Required
https://vuldb.com/?id.287276 Third Party Advisory
https://vuldb.com/?submit.457505 Third Party Advisory
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12357, you might also want to check these: