CVE-2018-25179

Vulnerability in

Gumbo CMS 0.99 allows unauthenticated attackers to perform SQL injection through the language parameter when language parameter in POST requests to the /settings/en endpoint [1][2]. The application fails to sanitize user input before constructing SQL queries, enabling the injection of malicious SQL code even without authentication [2]. The exploit payload typically includes a blind SQL injection technique using conditional statements and functions like AND to retrieve data character by character [1].

Attackers can exploit this vulnerability by sending a crafted POST request with a malicious payload in the language parameter. The exploit requires no prior authentication or special privileges, making it accessible to any attacker able to reach the server [2]. The attack is simple to execute, as demonstrated by the published proof-of-concept code [1].

Successful exploitation allows an attacker to extract sensitive information from the underlying database, including database usernames, database names, and version details [1][2]. This information can be used to further compromise the application or pivot to other systems.

Mitigation

As of the latest known version (0.99), no official patch has been released to address this vulnerability. Users should consider disabling the settings endpoint if possible, or upgrading to a newer version that is no longer maintained [2]. The vulnerability has been publicly disclosed with proof-of-concept code, increasing the risk of exploitation [1]."