CVE-2024-3350 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2024-3350?

CVE-2024-3350 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in SourceCodester Aplaya Beach Resort Online Reservation System 1.0 allows attackers to execute arbitrary SQL commands via the 'id' parameter in admin/mod_room/index.php. Attackers can potentially steal, modify, or delete database content, including sensitive reservation and customer data. All deployments of version 1.0 with the vulnerable file accessible are affected.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Aplaya Beach Resort Online Reservation System 1.0 allows attackers to execute arbitrary SQL commands via the 'id' parameter in admin/mod_room/index.php. Attackers can potentially steal, modify, or delete database content, including sensitive reservation and customer data. All deployments of version 1.0 with the vulnerable file accessible are affected.

💻 Affected Systems

Products:

SourceCodester Aplaya Beach Resort Online Reservation System

Versions: 1.0

Operating Systems: Any OS running PHP/MySQL web server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the admin/mod_room/index.php file to be accessible, which is part of standard installation.

📦 What is this software?

Aplaya Beach Resort Online Reservation System by Janobe

View all CVEs affecting Aplaya Beach Resort Online Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive reservation data, customer PII exposure, and potential privilege escalation to admin accounts.

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking SQL injection patterns.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploits exist.

🏢 Internal Only: MEDIUM - Still significant risk if internal attackers exist, but reduced exposure surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to admin interface, but SQL injection payloads are simple and well-documented. Public proof-of-concept available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing custom fixes with parameterized queries.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the 'id' parameter to accept only numeric values

In admin/mod_room/index.php, add: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

ModSecurity rule: SecRule ARGS:id "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Block external access to the vulnerable system using network ACLs or firewall rules
Implement database user privilege reduction to limit potential damage from SQL injection

🔍 How to Verify

Check if Vulnerable:

Test the admin/mod_room/index.php endpoint with SQL injection payloads like: index.php?id=1' OR '1'='1

Check Version:

Check system documentation or admin panel footer for version information

Verify Fix Applied:

Test with same payloads after implementing fixes - should return error or no SQL execution

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple failed login attempts followed by SQL injection patterns
Requests to admin/mod_room/index.php with suspicious parameters

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, INSERT) in URL parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (url="*admin/mod_room/index.php*" AND (param="*id=*'*" OR param="*id=*%27*" OR param="*id=* UNION *" OR param="*id=* SELECT *"))

📊 Metadata

CVE ID: CVE-2024-3350

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: April 5, 2024

Last Updated: February 11, 2025

🔗 References

https://github.com/qqqyc/vlun1/blob/main/Aplaya-Beach-Resort-Online-Reservation-System-03 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.259454 Permissions Required,VDB Entry
https://vuldb.com/?id.259454 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.310218 Third Party Advisory,VDB Entry
https://github.com/qqqyc/vlun1/blob/main/Aplaya-Beach-Resort-Online-Reservation-System-03 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.259454 Permissions Required,VDB Entry
https://vuldb.com/?id.259454 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.310218 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3350, you might also want to check these: