CVE-2018-14472

Vulnerability

An SQL injection vulnerability exists in WUZHI CMS version 4.1.0. The vulnerable file is coreframe/app/order/admin/goods.php. The $keywords parameter is taken from $GLOBALS['keywords'] after a trim() call but is directly concatenated into an SQL query without sanitization or parameterization, leading to SQL injection [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the endpoint /index.php?m=order&f=goods&v=listing with the keywords parameter containing malicious SQL. The PoC demonstrates using extractvalue for error-based information extraction [1]. The request requires valid authentication parameters (_su and _menuid) to access the admin panel, but once authenticated, the SQL injection can be executed without additional privileges [1].

Impact

Successful exploitation allows an attacker to extract sensitive data from the database, such as user credentials or configuration details, through error-based SQL injection. The impact is limited to data confidentiality, as the injection is error-based and does not directly lead to code execution or data modification [1].

Mitigation

The vendor has not released a patch for this vulnerability as of the publication date [1]. Mitigation involves manually sanitizing the $keywords parameter by escaping or using prepared statements. Since the software may be unmaintained, users should consider migrating to an alternative CMS or applying a custom input validation filter [1].