CVE-2025-2384
📋 TL;DR
This critical SQL injection vulnerability in Real Estate Property Management System 1.0 allows remote attackers to execute arbitrary SQL commands through parameters in InsertCustomer.php. Attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.
💻 Affected Systems
- code-projects Real Estate Property Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data destruction, authentication bypass, and potential server takeover via SQL injection to RCE chaining.
Likely Case
Database information disclosure, data manipulation, and potential privilege escalation affecting customer records and system data.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.
🎯 Exploit Status
Exploit details are publicly available on GitHub. SQL injection is a well-understood attack vector with many automated tools available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
No official patch available. Check vendor website for updates. Consider implementing parameterized queries and input validation manually.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and parameterized queries for all user inputs in InsertCustomer.php
Modify InsertCustomer.php to use prepared statements: $stmt = $conn->prepare('INSERT INTO customers (name, address) VALUES (?, ?)'); $stmt->bind_param('ss', $txtName, $txtAddress);
Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns targeting InsertCustomer.php parameters
Add WAF rule: Block requests to /InsertCustomer.php containing SQL keywords like UNION, SELECT, INSERT, DELETE, DROP, OR 1=1
🧯 If You Can't Patch
- Isolate the system behind a reverse proxy with strict input filtering
- Implement network segmentation and restrict database access to minimum required privileges
🔍 How to Verify
Check if Vulnerable:
Test InsertCustomer.php endpoint with SQL injection payloads in txtName, txtAddress, cmbCity, txtEmail, cmbGender, txtBirthDate, txtUserName2, txtPassword2 parametersCheck Version:
Check system documentation or admin panel for version information. No standard command available.Verify Fix Applied:
Verify that parameterized queries are implemented and test with SQL injection payloads to confirm they are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from web server
- SQL syntax errors in application logs
- Multiple failed insert attempts with special characters
Network Indicators:
- HTTP POST requests to /InsertCustomer.php containing SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/InsertCustomer.php" AND (param="txtName" OR param="txtAddress" OR param="cmbCity" OR param="txtEmail" OR param="cmbGender" OR param="txtBirthDate" OR param="txtUserName2" OR param="txtPassword2") AND (content="UNION" OR content="SELECT" OR content="INSERT" OR content="DELETE" OR content="DROP" OR content="OR 1=1")