CVE-2018-19896

Vulnerability

An SQL injection vulnerability exists in the delete() function of application/Admin/Controller/SlideController.class.php in ThinkCMF X2.2.2. The $_POST['ids'] parameter is converted to a string using implode() and then directly spliced into the WHERE clause without proper sanitization, allowing an attacker to inject arbitrary SQL statements [1]. The vulnerability is exploitable only by users with manager privileges.

Exploitation

An attacker with manager privileges sends a POST request to the /index.php?g=Admin&m=slide&a=delete endpoint with a crafted ids[] parameter. By appending malicious SQL payloads to the array values, such as ids[]=0 and updatexml(1, concat(0x7e,user(),0x7e),1), the attacker can trigger the injection [1]. No additional user interaction is required.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands on the database. This can lead to disclosure of sensitive information (e.g., user credentials, configuration data) and potential modification or deletion of data, all under the context of the database user [1]. The manager privilege requirement limits the attack surface to authenticated users.

Mitigation

No official patch has been released for this vulnerability as of the disclosure date [1]. Users should consider upgrading to a newer version of ThinkCMF if available, or apply input validation and parameterized queries to the affected code manually. Until fixed, restrict manager privileges to trusted users only.