CVE-2024-3464 in Laundry Management System
Summary
by MITRE • 04/08/2024
A vulnerability was found in SourceCodester Laundry Management System 1.0 and classified as critical. This issue affects the function laporan_filter of the file /application/controller/Pelanggan.php. The manipulation of the argument jeniskelamin leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259745 was assigned to this vulnerability.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/17/2025
The vulnerability identified as CVE-2024-3464 represents a critical sql injection flaw within the SourceCodester Laundry Management System version 1.0, specifically targeting the laporan_filter function in the Pelanggan.php controller file. This weakness stems from inadequate input validation and sanitization of the jeniskelamin parameter, which translates to gender type in the laundry management context. The vulnerability exists at the application layer where user-supplied data flows directly into sql query construction without proper escaping or parameterization mechanisms, creating an exploitable path for malicious actors to manipulate database operations.
The technical implementation of this vulnerability allows remote attackers to inject malicious sql payloads through the jeniskelamin parameter, enabling them to execute arbitrary sql commands against the underlying database. This occurs because the application fails to implement proper input filtering or use of prepared statements when processing user input for the laporan_filter function. The vulnerability's classification as critical stems from the potential for complete database compromise, data exfiltration, and unauthorized access to sensitive customer information including personal details, laundry records, and potentially payment information. The attack vector is remote, meaning no local system access is required, and the exploit has been publicly disclosed, increasing the risk of widespread exploitation.
The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could enable attackers to modify or delete critical customer and business data, potentially disrupting laundry operations and leading to financial losses. The laundry management system likely contains sensitive personal information and transactional data that could be leveraged for identity theft, fraud, or other malicious activities. Additionally, the compromise of the database could provide attackers with access to system credentials, potentially enabling further lateral movement within the network infrastructure. The vulnerability affects the entire customer management functionality of the system, making it a prime target for attackers seeking to gain persistent access to the organization's data assets.
Organizations utilizing this vulnerable system should immediately implement mitigations including input validation and sanitization of all user-supplied parameters, particularly those used in database queries. The implementation of prepared statements or parameterized queries should be mandatory for all database interactions to prevent sql injection attacks. Network segmentation and firewall rules should be configured to limit access to the application server, while regular security assessments and penetration testing should be conducted to identify similar vulnerabilities. The system should be updated to the latest version as soon as a patched release becomes available, and all user accounts should be reviewed for potential compromise. According to CWE guidelines, this vulnerability maps to CWE-89 sql injection, and from an ATT&CK perspective, it corresponds to T1190 exploit public-facing application and T1071.004 application layer protocol, representing a significant risk to organizational security posture and data integrity.