CVE-2018-17852

Vulnerability

A SQL injection vulnerability exists in WUZHI CMS 4.1.0 in /coreframe/app/coupon/admin/card.php at line 39 in the detail_listing function. The groupname parameter from $GLOBALS is sanitized with strip_tags but is directly concatenated into the SQL query without parameterization or escaping, allowing injection of malicious SQL statements [1].

Exploitation

An attacker can exploit this by sending a crafted request to /index.php?m=coupon&f=card&v=detail_listing&groupname=a' and updatexml(rand(),CONCAT(0x7e,USER()),1)=' (as demonstrated in the proof of concept). The attacker does not require authentication as the vulnerability is in an admin-facing page but may need admin access depending on the deployment; however, the reference suggests it is accessible remotely via the URL. The groupname parameter is used in the where clause without proper sanitization, allowing injection [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands, potentially leading to information disclosure, data manipulation, or full database compromise. The attacker can extract sensitive data such as user credentials, modify application data, or potentially gain further access to the server [1].

Mitigation

The vulnerability affects WUZHI CMS 4.1.0. As of the publication date (2018-10-01), no official patch has been released. Users should apply input validation and parameterized queries to the groupname parameter. Additionally, restricting access to the admin panel and using a web application firewall may help mitigate exploitation. The repository may have updates; users should check for any later versions [1].