CVE-2024-5094 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2024-5094?

CVE-2024-5094 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in SourceCodester Best House Rental Management System 1.0 allows remote attackers to manipulate database queries through the 'id' parameter in view_payment.php. Attackers can potentially read, modify, or delete database contents, including sensitive rental and payment information. All users running the affected version are vulnerable.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Best House Rental Management System 1.0 allows remote attackers to manipulate database queries through the 'id' parameter in view_payment.php. Attackers can potentially read, modify, or delete database contents, including sensitive rental and payment information. All users running the affected version are vulnerable.

💻 Affected Systems

Products:

SourceCodester Best House Rental Management System

Versions: 1.0

Operating Systems: Any OS running PHP with database backend

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable; the vulnerability exists in the core application code.

📦 What is this software?

Best House Rental Management System by Mayurik

View all CVEs affecting Best House Rental Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive rental data, payment information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists, making internet-facing instances immediate targets.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk increases if attackers gain internal foothold.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub; SQL injection via 'id' parameter requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

1. Check SourceCodester website for updates 2. If patch available, download and replace affected files 3. Test functionality after patching

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to ensure 'id' parameter contains only numeric values

In view_payment.php, add: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

ModSecurity rule: SecRule ARGS:id "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement database-level controls: restrict application database user permissions to SELECT only

🔍 How to Verify

Check if Vulnerable:

Test view_payment.php with SQL injection payloads in 'id' parameter: view_payment.php?id=1' OR '1'='1

Check Version:

Check application files for version markers or review source code comments

Verify Fix Applied:

Test with same payloads; application should reject invalid input or return error without database interaction

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple requests to view_payment.php with special characters in parameters
Database queries with UNION, SELECT, or other SQL keywords from unexpected sources

Network Indicators:

HTTP requests with SQL injection patterns in 'id' parameter
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="*view_payment.php*" AND (param="*id=*'*" OR param="*id=*%27*" OR param="*id=*UNION*" OR param="*id=*SELECT*")

📊 Metadata

CVE ID: CVE-2024-5094

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: May 18, 2024

Last Updated: February 10, 2025

🔗 References

https://github.com/BurakSevben/CVEs/blob/main/House%20Rental%20Management%20System/House%20Rental%20Management%20System%20-%20SQL%20Injection%20-%202.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.265073 Permissions Required,VDB Entry
https://vuldb.com/?id.265073 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.335714 Third Party Advisory,VDB Entry
https://github.com/BurakSevben/CVEs/blob/main/House%20Rental%20Management%20System/House%20Rental%20Management%20System%20-%20SQL%20Injection%20-%202.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.265073 Permissions Required,VDB Entry
https://vuldb.com/?id.265073 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.335714 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5094, you might also want to check these: