CVE-2024-3000 · A vulnerability classified as critical was found in code-projects Online Book System 1.0.

01 · The Real Story

This is a flimsy screen door on a shed, not a blown vault door in your datacenter

CVE-2024-3000 is a login-path SQL injection in code-projects Online Book System 1.0, specifically index.php, where the username, password, login_username, or login_password inputs can be manipulated to bypass authentication and interact with the backend database. The public proof of concept shows a classic 'or 1=1-- - payload against the login flow, and the vulnerable build is the single downloadable 1.0 release distributed as a PHP/MySQL training project.

The vendor/CNA HIGH 7.3 score is reasonable in a lab vacuum, but it overstates enterprise patch urgency. The big downward pressure is deployment reality: this is a hobby/tutorial PHP app typically run under XAMPP or localhost-style setups, not a mainstream enterprise product with broad internet-facing production exposure. So yes, exploitation is easy; no, this should not outrank broadly deployed perimeter software just because the input validation is awful.

"Trivial to exploit if exposed, but this is mostly a tutorial PHP app with tiny real enterprise exposure"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable index.php login

An attacker first needs the application deployed somewhere reachable over HTTP. The project documentation itself shows the canonical local path as http://localhost/BookStore-master 1/, which is a strong clue this software is commonly used in labs, coursework, or one-off internal demos rather than managed production estates.

Conditions required:

The PHP app is actually deployed, not just downloaded
The login page is reachable from the attacker's network position
Apache/PHP and the MySQL backend are functioning

Where this breaks in practice:

Real enterprises rarely standardize on this code-projects training app
Many installs are local-only XAMPP or dev VM instances
There is no strong internet-scale fingerprint for dependable external discovery

Detection/coverage: Generic web discovery scanners will find the page if exposed, but asset inventory tools often miss one-off student/demo PHP apps unless web roots are monitored.

STEP 02

Replay the public auth-bypass payload with curl, Burp, or sqlmap

The public PoC from Burak Sevben demonstrates that the login path accepts a classic SQLi string in username with a benign password value. This is not a memory-corruption exploit; it is low-skill input manipulation that any tester with Burp Suite, curl, or sqlmap can reproduce once the endpoint is reachable.

Conditions required:

Unauthenticated remote access to the login form
Backend query construction uses unsanitized user input
The app has not been locally modified to use prepared statements

Where this breaks in practice:

WAF signatures may catch the obvious 'or 1=1-- - pattern
Minor local code edits can break the published payload even if the app remains vulnerable
If the app is behind VPN or internal-only reverse proxying, the attacker is already post-initial-access

Detection/coverage: DAST tools and WAF logs can usually spot this class. SAST can also catch raw $_POST into SQL in index.php if the codebase is available.

STEP 03

Bypass login and land in the app as an application user

Successful injection can satisfy the authentication query and establish an application session without knowing valid credentials. From there, the attacker gains whatever the application role can see or do, which may include order data, user records, and any admin-only functions weakly gated behind the same trust boundary.

Conditions required:

The vulnerable query controls authentication outcome
Session handling accepts the forged successful login path

Where this breaks in practice:

Blast radius depends entirely on the privileges mapped to that login path
Many tutorial apps have messy role separation, but some are still shallow in business impact
If the app stores little real data, operational impact stays limited

Detection/coverage: Authentication logs may only show a successful login, not the SQLi itself, unless HTTP logs or WAF telemetry are retained.

STEP 04

Pivot to database disclosure or tampering

Because this is SQL injection on the login path, an attacker can often move beyond simple auth bypass into broader query manipulation, subject to how the PHP code is written and what DB account permissions exist. That can mean reading user data, changing records, or damaging the dataset used by the store.

Conditions required:

The underlying DB user has meaningful read/write rights
The injection context permits additional query manipulation beyond boolean bypass

Where this breaks in practice:

No evidence here of direct OS-level RCE from this CVE alone
Database privileges may be narrower than full admin
A toy dataset sharply limits business consequence

Detection/coverage: Database audit logs, anomalous query telemetry, and verbose Apache access logs can expose exploitation attempts; vuln scanners may only report the initial SQLi condition.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation evidence located in authoritative public tracking; not listed in CISA KEV.
Public PoC availability	Yes. Burak Sevben published a working authentication-bypass proof of concept on GitHub; secondary trackers also reference another GitHub PoC.
EPSS	`0.00212` (~0.212%), which is low and consistent with limited operational interest.
KEV status	Not in KEV as of the CISA KEV catalog checked for this assessment.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L` — unauthenticated remote and easy to trigger, but the published vendor impact model keeps CIA impact at low.
Affected versions	`code-projects Online Book System 1.0` / `anisha online_book_system 1.0`; vulnerable component is `index.php` login handling.
Fixed version	No vendor-fixed version found. No official patch or newer secure release was identified in the vendor download/project pages.
Exposure reality	Project instructions explicitly center on XAMPP/localhost-style deployment (`http://localhost/BookStore-master 1/`), which strongly suggests lab/dev/demo prevalence, not broad enterprise internet exposure.
Disclosure	Published 2024-03-27; NVD shows later enrichment and modification activity on 2025-02-21.
Researcher / source	Public exploit and original reporting are attributed to Burak Sevben; CVE source is VulDB.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (4.3/10)

The decisive factor is reachability population: this is a trivially exploitable bug in a niche tutorial PHP application, not a broadly deployed enterprise platform. In practice, the vulnerability matters most when someone has already allowed a dev/demo app to become reachable; that sharply reduces estate-wide urgency compared with internet-facing products defenders knowingly run at scale.

HIGH Exploitability of the vulnerable login path when the app is reachable

MEDIUM Real-world exposure prevalence in enterprise estates

HIGH Absence of a vendor patch/newer fixed release in identified sources

Why this verdict

Downgrade for exposure reality: the app appears to be a downloadable training project typically run under XAMPP/localhost, so the exposed population is tiny compared with mainstream enterprise software.
Unauthenticated remote SQLi is still real: if a reachable instance exists, exploitation is low-skill and the public PoC makes auth bypass straightforward.
No KEV + low EPSS: there is no authoritative evidence of broad attacker focus, which matters when triaging thousands of hosts.

Why not higher?

Because the attack chain assumes the enterprise is actually running this specific low-prevalence PHP sample app and has made it reachable. That is a major narrowing factor. Also, there is no strong evidence here of widespread exploitation, mass scanning, or a large installed base that would justify treating it like a perimeter emergency.

Why not lower?

Because once a reachable instance exists, the exploit path is embarrassingly easy: no auth, no user interaction, public payload, and likely immediate session bypass. Even a stray demo server can expose credentials, customer data, or an internal foothold, so this is not pure paperwork risk.

05 · Compensating Control

What to do — in priority order.

Remove internet exposure — If you find this app anywhere, put it behind VPN, IP allowlisting, or internal-only reverse proxying. For a MEDIUM verdict there is no mitigation SLA; go straight to risk reduction as operational hygiene and complete it before the 365-day remediation window if the app cannot be retired sooner.
Retire demo installs — Treat code-projects sample apps as shadow IT unless a business owner proves otherwise. There is no mitigation SLA for this severity, so the practical control is inventory and retirement before the remediation deadline rather than emergency change windows.
Add WAF or reverse-proxy filtering — Block obvious SQLi metacharacters and rate-limit repeated login attempts to reduce opportunistic abuse. This is only a compensating control; with MEDIUM severity there is no mitigation SLA, but use it to cover gaps while you remove or replace the app within the remediation window.
Hunt for local code forks — Search web roots, Git repos, and VM templates for BookStore-master 1, u385439067_store, or the matching index.php login logic. Because there is no vendor patch identified, detection and retirement are the realistic enterprise controls within the 365-day remediation period.

What doesn't work

MFA on upstream SSO doesn't help if the vulnerable app uses its own local username/password form in index.php.
Endpoint AV on the web server doesn't stop boolean SQL injection in a PHP login form; this is application-layer abuse, not malware execution.
Credential rotation alone doesn't solve the core issue because the PoC bypasses authentication logic rather than stealing a valid password first.

06 · Verification

Crowdsourced verification payload.

Run this on the target host or against a mounted source tree where the PHP application files live. Invoke it as python3 verify_cve_2024_3000.py /var/www/html/BookStore-master\ 1 or python verify_cve_2024_3000.py C:\xampp\htdocs\BookStore-master 1; no admin rights are required if you can read the app files.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# verify_cve_2024_3000.py
# Detect likely vulnerable code-projects Online Book System 1.0 login SQLi in index.php
# Exit codes: 0=PATCHED/NOT DETECTED, 1=VULNERABLE, 2=UNKNOWN/ERROR

import os
import re
import sys

PARAM_HINTS = ["username", "password", "login_username", "login_password"]
SQL_HINTS = [
    r"select\s+.*from\s+.*where",
    r"mysqli_query\s*\(",
    r"->query\s*\(",
    r"mysql_query\s*\(",
]
UNSAFE_INPUT_HINTS = [
    r"\$_POST\[['\"]username['\"]\]",
    r"\$_POST\[['\"]password['\"]\]",
    r"\$_REQUEST\[['\"]username['\"]\]",
    r"\$_REQUEST\[['\"]password['\"]\]",
]
SAFE_HINTS = [
    r"prepare\s*\(",
    r"mysqli_prepare\s*\(",
    r"bind_param\s*\(",
    r"PDO\s*\(",
]


def read_file(path):
    with open(path, "r", encoding="utf-8", errors="ignore") as f:
        return f.read()


def main():
    if len(sys.argv) != 2:
        print("UNKNOWN - usage: python3 verify_cve_2024_3000.py <app_root>")
        sys.exit(2)

    root = sys.argv[1]
    if not os.path.isdir(root):
        print(f"UNKNOWN - path not found: {root}")
        sys.exit(2)

    index_php = os.path.join(root, "index.php")
    if not os.path.isfile(index_php):
        print("PATCHED - target app not detected (no index.php at provided root)")
        sys.exit(0)

    try:
        data = read_file(index_php)
    except Exception as e:
        print(f"UNKNOWN - failed to read {index_php}: {e}")
        sys.exit(2)

    lowered = data.lower()

    found_params = sum(1 for p in PARAM_HINTS if p in lowered)
    found_sql = sum(1 for pat in SQL_HINTS if re.search(pat, data, re.I))
    found_unsafe = sum(1 for pat in UNSAFE_INPUT_HINTS if re.search(pat, data, re.I))
    found_safe = sum(1 for pat in SAFE_HINTS if re.search(pat, data, re.I))

    app_markers = ["bookstore-master", "u385439067_store", "online book system"]
    found_markers = sum(1 for m in app_markers if m in lowered)

    # Heuristic decisioning
    if found_params >= 2 and found_sql >= 1 and found_unsafe >= 1 and found_safe == 0:
        print("VULNERABLE - index.php contains likely unsafe login SQL handling consistent with CVE-2024-3000")
        sys.exit(1)

    if found_safe >= 1 and found_sql >= 1 and found_unsafe == 0:
        print("PATCHED - query handling appears parameterized or the vulnerable pattern is absent")
        sys.exit(0)

    if found_markers or found_params >= 2:
        print("UNKNOWN - app may be present, but the vulnerable pattern could not be confirmed from index.php alone")
        sys.exit(2)

    print("PATCHED - application fingerprint not detected at the provided path")
    sys.exit(0)


if __name__ == "__main__":
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: don’t let this jump the queue ahead of broadly deployed edge software, but do run a quick hunt for stray code-projects/BookStore-master 1 installs in web roots, VM templates, and internal demo servers. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; because no vendor patch was identified, use the noisgate remediation SLA as the deadline to either retire the app, remove exposure, or carry a local code fix/replacement. If you find an internet-facing instance, accelerate that specific host immediately even though the estate-wide priority stays moderate.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.