CVE-2024-34930 - SQL Injection Vulnerability in Campcodes Complete Web-Based School Management System 1.

A newly discovered SQL injection vulnerability with the designation CVE-2024-34930 has been reported in the Campcodes Complete Web-Based School Management System (CWBSMS) 1.. This vulnerability exists in the /model/all_events1.php file and is exploitable via the month parameter. This article details the vulnerability and outlines the possible risks associated with it, as well as steps that can be taken to remediate this issue.

Background

Campcodes Complete Web-Based School Management System (CWBSMS) is an online application designed to help schools manage their day-to-day operations, such as student information, schedules, and other essential tasks related to school management.

This system has gained popularity due to its affordability and simpler user interface, making it accessible to a large number of schools and institutions that are looking for a cost-effective management system.

Vulnerability Details

CVE-2024-34930 is a SQL injection vulnerability discovered in /model/all_events1.php in CWBSMS 1.. The attack is executed by manipulating the month parameter through SQL injection, which allows an attacker to execute arbitrary SQL commands.

This vulnerability poses a significant risk as it allows attackers to extract sensitive data, manipulate database contents, or even execute remote code through SQL commands. Here is a snippet of the code containing the vulnerable month parameter in the /model/all_events1.php file:

$month = $_POST['month'];
$year = date('Y');

$query = "SELECT * FROM tbl_events WHERE start_event LIKE '$year-$month-%'";
$result = mysqli_query($connection, $query);

The code above does not sanitize the user-supplied input in the month parameter before applying it in the SQL query. Consequently, this opens up the possibility of SQL injection attacks.

Exploit

An attacker can exploit this vulnerability by modifying the value of the 'month' parameter and injecting malicious SQL payloads. For example, the attacker could use a payload like this:

1 UNION SELECT 1,table_name,3,4,5,6 FROM information_schema.tables WHERE table_schema=database()--

Original References

Below are some resources for further information on CVE-2024-34930
1. Official CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34930
2. NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-34930

Mitigation

To mitigate this vulnerability, the developers should apply proper input validation and sanitize all user-supplied parameters, especially before injecting them into SQL statements.

To patch the vulnerability, replace the vulnerable code in the /model/all_events1.php file with the following sanitized version:

$month = intval($_POST['month']);
$year = date('Y');

$query = "SELECT * FROM tbl_events WHERE start_event LIKE CONCAT(?, '-', ?, '-%')";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, "ii", $year, $month);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

In the code above, the input for the month parameter is sanitized by converting it into an integer value. Additionally, a prepared statement is used to protect the SQL query against injection attacks.

Conclusion

This article has provided detailed information regarding the SQL injection vulnerability, designated CVE-2024-34930, in the /model/all_events1.php in Campcodes Complete Web-Based School Management System 1.. The vulnerability can be exploited by an attacker to execute arbitrary SQL commands by manipulating the month parameter. To remediate this issue, it is crucial to sanitize and validate all user inputs and use prepared statements where feasible.

Timeline

Published on: 05/23/2024 17:15:29 UTC
Last modified on: 07/03/2024 02:00:57 UTC