CVE-2018-19894

Vulnerability

ThinkCMF X2.2.2 contains a SQL injection vulnerability in the check() and delete() methods of /application/Comment/Controller/CommentadminController.class.php. The $_POST['ids'] parameter is directly concatenated into the SQL WHERE clause using join() instead of using parameterized queries, allowing an attacker to inject arbitrary SQL. The vulnerability requires manager-level privileges to reach the affected code path [1].

Exploitation

An attacker with manager privileges sends a POST request to the commentadmin action (e.g., index.php?g=Comment&m=commentadmin&a=check&check=1) with a crafted ids[] parameter. For example, ids[]=1&ids[]=2 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1) triggers the injection. The unsanitized input is placed directly into the SQL statement, enabling the attacker to execute arbitrary SQL commands [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the database. This can lead to disclosure of sensitive data (e.g., user credentials, configuration), modification or deletion of database records, and potentially full compromise of the application. Since the attacker already has manager privileges, the injection can be used to escalate to database administrator-level access [1].

Mitigation

No official patch has been released for this vulnerability as of the publication date (2018-12-06). The referenced advisory [1] does not provide a fix. Users should apply input validation and use parameterized queries for the ids[] parameter, or restrict access to the affected functions to trusted administrators only. Upgrading to a later version of ThinkCMF may address this issue, but no specific fixed version is mentioned in the available references.