CVE-2018-17552

An attacker sends a crafted HTTP request to the login page with a malicious `navigate-user` cookie containing SQL injection payloads. The application concatenates this cookie value directly into SQL queries without sanitization or parameterization, allowing the attacker to manipulate the query logic. By injecting a payload such as `' OR '1'='1`, the attacker can bypass authentication entirely and gain unauthorized access to the administrative interface [ref_id=1].

The vulnerability resides in the `login.php` file of Navigate CMS 2.8, where the `navigate-user` cookie is used directly in SQL queries without parameterization. The patch modifies the core database wrapper methods `query()`, `query_single()`, and `queryLimit()` in the database class to accept an optional `$parameters` array and use prepared statements when parameters are provided [ref_id=1].

The patch introduces an optional `$parameters` array parameter to the `query()`, `query_single()`, and `queryLimit()` methods. When parameters are supplied, the code uses `$this->db->prepare($sql)` followed by `$statement->execute($parameters)` instead of directly calling `$this->db->query($sql)`. This shifts from string concatenation to prepared statements, which separates SQL logic from user-supplied data and prevents injection. The patch also refactors the SQL string construction in `query_single()` to be built before the conditional block, improving code clarity [ref_id=1].

1. Send a POST request to the Navigate CMS login page (e.g., `/navigate/login.php`) with a crafted cookie: `navigate-user=' OR '1'='1`. 2. The SQL query becomes `SELECT ... FROM users WHERE ... username='' OR '1'='1'`, which returns all users. 3. The application authenticates the attacker as the first user in the result set, granting admin access without a valid password [ref_id=1].