CVE-2019-6707

Vulnerability

PHPSHE B2C system version 1.7 (build 20180905 UTF8) contains a SQL injection vulnerability in the admin.php endpoint when handling the mod=product&act=state action. The product_id[] parameter, which is expected to be an array, is not sanitized before being used in SQL queries. This allows an authenticated administrator to inject arbitrary SQL commands via the POST request. The vulnerability is present in the default installation and requires the attacker to have admin panel access [1].

Exploitation

An attacker must first authenticate to the admin panel (default credentials admin/admin). The attacker then sends a POST request to /admin.php?mod=product&act=state with a crafted product_id[] parameter. The provided proof-of-concept uses a time-based blind SQL injection payload: product_id[]=2' AND SLEEP(5) AND 'sTmn'='sTmn. This causes a delay if the injected condition is true, allowing the attacker to infer information from the database. Tools like sqlmap can automate the exploitation [1].

Impact

Successful exploitation allows an attacker to extract sensitive data from the database, such as user credentials, configuration details, or other stored information. The time-based blind technique enables retrieval of arbitrary data without direct output. The attacker gains the ability to read, modify, or delete database contents, potentially leading to full compromise of the CMS and its data [1].

Mitigation

As of the publication date (2019-01-23), no official patch or fixed version has been released by the vendor. Users are advised to restrict access to the admin panel to trusted IPs, enforce strong passwords, and monitor for suspicious activity. If possible, upgrade to a later version of PHPSHE if a security update becomes available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].