7.3 CVE-2024-11970

RCE Injection SQL Buffer Overflow Path Traversal RCI Exploit
 

A vulnerability classified as critical has been found in code-projects Concert Ticket Ordering System 1.0. Affected is an unknown function of the file /tour(cor).php. The manipulation of the argument mai leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
https://nvd.nist.gov/vuln/detail/CVE-2024-11970

Categories

CWE-74 : Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Software or other automated logic has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features that classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed.

CWE-89 : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. a common attack-oriented phrase a common abbreviation for "SQL injection" This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. SQL injection in security product dashboard using crafted certificate fields SQL injection in time and billing software, as exploited in the wild per CISA KEV. SQL injection in file-transfer system via a crafted Host header, as exploited in the wild per CISA KEV. SQL injection in firewall product's admin interface or user portal, as exploited in the wild per CISA KEV. An automation system written in Go contains an API that is vulnerable to SQL injection allowing the attacker to read privileged data. chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass. SQL injection through an ID that was supposed to be numeric. SQL injection through an ID that was supposed to be numeric. SQL injection via user name. SQL injection via user name or password fields. SQL injection in security product, using a crafted group name. SQL injection in authentication library. SQL injection in vulnerability management and reporting tool, using a crafted password.

References

cna@vuldb.com Exploit


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:anisha:concert_ticket_ordering_system:1.0:*:*:*:*:*:*:*


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://github.com/halhalz/1/issues/1


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
10 Buffer Overflow via Environment Variables
High
105 HTTP Request Splitting
High
101 Server Side Include (SSI) Injection
High
108 Command Line Execution through SQL Injection
Very High
120 Double Encoding
Medium
13 Subverting Environment Variable Values
Very High
135 Format String Injection
High
14 Client-side Injection-induced Buffer Overflow
High
24 Filter Failure through Buffer Overflow
High
250 XML Injection
267 Leverage Alternate Encoding
High
273 HTTP Response Smuggling
High
28 Fuzzing
Medium
3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Medium
34 HTTP Response Splitting
High
42 MIME Conversion
High
43 Exploiting Multiple Input Interpretation Layers
High
45 Buffer Overflow via Symbolic Links
High
46 Overflow Variables and Tags
High
47 Buffer Overflow via Parameter Expansion
High
51 Poison Web Service Registry
Very High
52 Embedding NULL Bytes
High
53 Postfix, Null Terminate, and Backslash
High
6 Argument Injection
High
64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
High
67 String Format Overflow in syslog()
Very High
7 Blind SQL Injection
High
71 Using Unicode Encoding to Bypass Validation Logic
High
72 URL Encoding
High
76 Manipulating Web Input to File System Calls
Very High
78 Using Escaped Slashes in Alternate Encoding
High
79 Using Slashes in Alternate Encoding
High
8 Buffer Overflow in an API Call
High
80 Using UTF-8 Encoding to Bypass Validation Logic
High
83 XPath Injection
High
84 XQuery Injection
Very High
9 Buffer Overflow in Local Command-Line Utilities
High
109 Object Relational Mapping Injection
High
110 SQL Injection through SOAP Parameter Tampering
Very High
470 Expanding Control over the Operating System from the Database
Very High
66 SQL Injection
High


MITRE


Techniques

id description
T1027 Obfuscated Files or Information
T1562.003 Impair Defenses:Impair Command History Logging
T1574.006 Hijack Execution Flow:Dynamic Linker Hijacking
T1574.007 Hijack Execution Flow:Path Interception by PATH Environment Variable
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
T1027 Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.
T1562.003 Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
T1574.006 When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions. Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.
T1574.007 Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.