CVE-2019-9626

Vulnerability

PHPSHE version 1.7 contains a SQL injection vulnerability in the module/index/cart.php file. The pintuan_id parameter is passed directly to an SQL query without proper sanitization, allowing injection of malicious SQL statements. The vulnerability can be exploited via the index.php endpoint, as noted in the issue [1].

Exploitation

An attacker can exploit this by sending a crafted HTTP request with a malicious pintuan_id parameter to the vulnerable page. Since the injection is time-based blind, the attacker can infer the contents of the database by observing response delays. No authentication is required as the endpoint is publicly accessible.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the database. This can lead to unauthorized access to sensitive data, including user credentials and other stored information. The impact is limited to data confidentiality and integrity, as the injection is not directly exploitable for remote code execution.

Mitigation

The issue was reported on the official Gitee repository [1]. As of the CVE publication date, no patch has been released. Users should upgrade to a fixed version once available or apply input validation on the pintuan_id parameter to mitigate the risk. However, no official fix is documented in the reference.