Authenticated SQL-Injection
Opened this issue · 0 comments
In the file cms/modules/article.lib.php
some user-input is not validated correctly, which allows for an authenticated SQL-Injection (more info here: https://www.owasp.org/index.php/SQL_Injection ). To exploit this, a user has to have the right to view "drafts", which by default only seems to be the case for the admin user. This allows for access to the SQL-database by any user that is logged into the CMS as admin.
The line in question:
pragyan/cms/modules/article.lib.php
Line 386 in a701f91
$draftNo
) comes from a user-supplied GET-parameter and is not filtered at all.
To reproduce this, create two versions of a draft of some araticle and run sql-map
on a local version of the CMS like so:
python sqlmap.py -u "http://localhost/pragyan/home/how_to_use/+edit&dversion=2*" --cookie='cookie_support=enabled; PHPSESSID=qece7ieb5fnqc9h5p3rb87q0h2'
where the cookie parameter must be replaced by a valid cookie of the admin user for this to work.
Here is a screenshot of it: https://i.imgur.com/ycCCuxu.png
This could be fixed by e.g. surrounding the parameter with a call to mysql_real_escape_string
, i.e. $draftNo = mysql_real_escape_string($draftNo)
.