CVE-2024-7665 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2024-7665?

CVE-2024-7665 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in SourceCodester Car Driving School Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in manage_package.php. Attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Car Driving School Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in manage_package.php. Attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

SourceCodester Car Driving School Management System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. Any system with the vulnerable file accessible is affected.

📦 What is this software?

Car Driving School Management System by Oretnom23

View all CVEs affecting Car Driving School Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information such as user credentials, personal data, and business records.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and the exploit is publicly available.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but remote exploitation capability makes internet-facing deployments more critical.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider workarounds or replacing the software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or proper input sanitization to the manage_package.php file

Modify PHP code to use prepared statements: $stmt = $conn->prepare('SELECT * FROM packages WHERE id = ?'); $stmt->bind_param('i', $id);

Web Application Firewall (WAF)

all

Deploy a WAF to block SQL injection attempts

Configure WAF rules to block SQL injection patterns in URL parameters

🧯 If You Can't Patch

Isolate the system from the internet and restrict access to authorized users only
Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test the manage_package.php endpoint with SQL injection payloads in the 'id' parameter

Check Version:

Check the software version in the admin panel or configuration files

Verify Fix Applied:

Test with SQL injection payloads to confirm they are properly sanitized or blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple requests to manage_package.php with suspicious parameters

Network Indicators:

SQL keywords in URL parameters (SELECT, UNION, etc.)
Unusual database query patterns

SIEM Query:

source="web_server" AND (url="*manage_package.php*" AND (param="*id=*SELECT*" OR param="*id=*UNION*" OR param="*id=*OR*"))

📊 Metadata

CVE ID: CVE-2024-7665

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: August 12, 2024

Last Updated: August 15, 2024

🔗 References

https://github.com/BFS-Lab/BFSDV/blob/main/Sourcecodester%20Online%20Catering%20Reservation%20System%20SQL%20Injection-3.md Exploit
https://vuldb.com/?ctiid.274123 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.274123 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?submit.388769 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7665, you might also want to check these: