CVE-2024-28279 – Computer Book Store 1.0 contains a SQL injectio... (How to Fix)

Q: What is the severity of CVE-2024-28279?

CVE-2024-28279 has a CVSS score of 7.3 (HIGH). Computer Book Store 1.0 contains a SQL injection vulnerability in the book.php parameter 'bookisbn' that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific PHP application. Attackers can potentially access, modify, or delete database content through this vulnerability.

📋 TL;DR

Computer Book Store 1.0 contains a SQL injection vulnerability in the book.php parameter 'bookisbn' that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific PHP application. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:

Computer Book Store

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of Computer Book Store 1.0 regardless of configuration.

📦 What is this software?

Computer Book Store by Carmelo

View all CVEs affecting Computer Book Store →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential server takeover via SQL injection to RCE chaining.

🟠

Likely Case

Database information disclosure, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET parameter requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Replace vulnerable code in book.php with parameterized queries. 2. Implement proper input validation for bookisbn parameter. 3. Test thoroughly before deployment.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns in book.php requests.

Input Validation Filter

all

Add input validation to only accept ISBN format patterns (digits and hyphens).

🧯 If You Can't Patch

Isolate the application behind a reverse proxy with strict input filtering
Implement network segmentation to limit database access from the application server

🔍 How to Verify

Check if Vulnerable:

Test book.php?bookisbn=1' OR '1'='1 and observe if SQL error or unexpected behavior occurs.

Check Version:

Check source code or documentation for version information; no built-in version command.

Verify Fix Applied:

Test with SQL injection payloads and verify they are rejected or properly handled without database errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple requests to book.php with SQL keywords in parameters

Network Indicators:

HTTP requests to book.php containing SQL injection patterns in GET parameters

SIEM Query:

source="web_logs" AND uri="*book.php*" AND (param="*bookisbn=*'*" OR param="*bookisbn=*%27*")

📊 Metadata

CVE ID: CVE-2024-28279

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: May 14, 2024

Last Updated: April 10, 2025

🔗 References

https://code-projects.org/computer-book-store-in-php-with-source-code/ Product
https://github.com/unrealjbr/CVE-2024-28279 Broken Link
https://code-projects.org/computer-book-store-in-php-with-source-code/ Product
https://github.com/unrealjbr/CVE-2024-28279 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28279, you might also want to check these: