CVE-2024-5063 – This critical SQL injection vulnerability in PH... (How to Fix)

Q: What is the severity of CVE-2024-5063?

CVE-2024-5063 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in PHPGurukul Online Course Registration System 3.1 allows attackers to bypass authentication via the admin login page. Remote attackers can manipulate username/password parameters to execute arbitrary SQL commands, potentially gaining unauthorized access. Organizations using this specific version of the software are affected.

📋 TL;DR

This critical SQL injection vulnerability in PHPGurukul Online Course Registration System 3.1 allows attackers to bypass authentication via the admin login page. Remote attackers can manipulate username/password parameters to execute arbitrary SQL commands, potentially gaining unauthorized access. Organizations using this specific version of the software are affected.

💻 Affected Systems

Products:

PHPGurukul Online Course Registration System

Versions: Version 3.1

Operating Systems: Any OS running PHP (typically Linux/Windows with Apache/Nginx)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. Any system with /admin/index.php accessible is vulnerable.

📦 What is this software?

Online Course Registration System by Phpgurukul

View all CVEs affecting Online Course Registration System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to steal all user data, modify course registrations, install backdoors, or take full administrative control of the system.

🟠

Likely Case

Authentication bypass leading to unauthorized admin access, data exfiltration of student/course information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability affects the admin login page which is typically internet-facing, allowing remote exploitation without authentication.

🏢 Internal Only: MEDIUM - If the system is only accessible internally, risk is reduced but still significant due to SQL injection capabilities.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available showing authentication bypass via SQL injection in login parameters. Simple payloads can bypass authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

1. Check for official vendor patch or updated version. 2. If unavailable, implement input validation and parameterized queries in /admin/index.php. 3. Replace vulnerable login logic with prepared statements.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in login parameters

# Example ModSecurity rule: SecRule ARGS:username "@detectSQLi" "id:1001,phase:2,deny"

Authentication Rate Limiting

linux

Limit login attempts to reduce brute force and injection attempts

# Apache: SetEnvIf Request_URI ^/admin/index.php max_attempts=5
# Nginx: limit_req_zone $binary_remote_addr zone=admin:10m rate=5r/m;

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement network segmentation to limit access to the admin interface

🔍 How to Verify

Check if Vulnerable:

Test the /admin/index.php endpoint with SQL injection payloads in username/password fields (e.g., ' OR '1'='1). Monitor for successful authentication bypass.

Check Version:

Check the system's about page or configuration files for version 3.1 indication

Verify Fix Applied:

Attempt the same SQL injection payloads after fixes. Successful fixes should reject malicious input and require valid credentials.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts with SQL patterns
Successful admin logins from unusual IPs

Network Indicators:

HTTP POST requests to /admin/index.php with SQL keywords in parameters
Unusual traffic patterns to admin interface

SIEM Query:

source="web_logs" AND uri="/admin/index.php" AND (request_body CONTAINS "OR" OR request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2024-5063

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: May 17, 2024

Last Updated: March 3, 2025

🔗 References

https://github.com/BurakSevben/CVEs/blob/main/Online%20Course%20Registration%20System/Online%20Course%20Registration%20System%20-%20Authentication%20Bypass.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.264922 Permissions Required,VDB Entry
https://vuldb.com/?id.264922 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.336236 Third Party Advisory,VDB Entry
https://github.com/BurakSevben/CVEs/blob/main/Online%20Course%20Registration%20System/Online%20Course%20Registration%20System%20-%20Authentication%20Bypass.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.264922 Permissions Required,VDB Entry
https://vuldb.com/?id.264922 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.336236 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5063, you might also want to check these: