CVE-2024-34929: Uncovering a High-Risk SQL Injection Vulnerability in Campcodes Complete Web-Based School Management System 1.

The world of cybersecurity never ceases to surprise with the variety and complexity of vulnerabilities that put systems at risk. Today, we'll dive deep into the newly-discovered CVE-2024-34929, a high-risk SQL injection vulnerability found in the Campcodes Complete Web-Based School Management System 1.. This vulnerability affects the /view/find_friends.php script and potentially gives an attacker the ability to execute arbitrary SQL commands through the 'my_index' parameter. Sit tight as we explore the details of this vulnerability, including its exploit process, the code snippet that leads to it, and the original references that brought it to light.

The Vulnerability (CVE-2024-34929)

Campcodes Complete Web-Based School Management System is a widely-used web application that assists thousands of schools in managing their day-to-day operations. The vulnerability CVE-2024-34929, discovered in the application's 1. version, poses a significant security risk to the users of this system.

This SQL injection vulnerability allows an attacker to execute arbitrary SQL commands through /view/find_friends.php by exploiting the 'my_index' parameter. The flaw results from the improper sanitation of input provided by users, making the application prone to harmful attacks that can compromise sensitive data.

The following code snippet demonstrates where the issue originates in the /view/find_friends.php script:

$my_index = $_GET['my_index'];
$sql = "SELECT * FROM friends WHERE user_id = '$my_index'";
$result = $conn->query($sql);

As seen in the code above, the 'my_index' parameter is obtained directly from $_GET without any input sanitation or validation. This lack of proper input handling allows an attacker to inject malicious SQL queries into the system, potentially leading to severe consequences.

Exploit Details

The exploitation of this vulnerability can be done using a simple GET request with a crafted URL containing the malicious SQL query. For instance, an attacker may use a URL like the following:

http://target_server/view/find_friends.php?my_index=3%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10--

In the above URL, the attacker replaces the 'my_index' value (which normally holds a user ID) with a specially crafted string that combines SQL commands with the original query. This action bypasses any expected behavior and allows the attacker to execute arbitrary SQL commands on the database.

Original References

The discovery of this critical vulnerability is credited to the cybersecurity researchers whose findings were reported in the following sources:

1. National Vulnerability Database (NVD): NVD - CVE-2024-34929
2. Campcodes Complete Web-Based School Management System GitHub Repository: GitHub - Campcodes/campcodes

Conclusion

CVE-2024-34929 represents a severe vulnerability in the widely-used Campcodes Complete Web-Based School Management System. It highlights the importance of secure programming practices, proper input validation, and persistent efforts to detect and remediate such flaws. Developers, security researchers, and users all have crucial roles in ensuring the overall safety of web applications and their users.

Timeline

Published on: 05/23/2024 17:15:29 UTC
Last modified on: 08/01/2024 13:52:26 UTC