CVE-2020-23966

Vulnerability

Victor CMS version 1.0 (repository now archived) contains a SQL injection vulnerability in /post.php. The post parameter from a GET request is directly concatenated into an SQL query without sanitization or prepared statements [1][2]. Affected versions: all deployments using the vulnerable code from the repository before the fix was applied (the repository is archived and no further updates are expected).

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to /post.php with a malicious post parameter. The reference [2] provides a proof-of-concept: post=1 and sleep(2) -- was used to cause a time delay, confirming the injection. No authentication is required; the attacker only needs network access to the web server.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the database. This could lead to unauthorized access, modification, or deletion of data, including extraction of sensitive information such as user credentials and session tokens [1][2]. The impact is limited by the permissions of the database user used by the application, but typical configurations often provide full read/write access.

Mitigation

The repository has been archived and no official patched version is published. Users are strongly advised to migrate away from Victor CMS 1.0 or manually fix the code by replacing the vulnerable query in post.php with prepared statements, as suggested in the issue report [2]. Specifically, use a parameterized query like $query = "SELECT * FROM posts WHERE post_id = ?"; with bound parameters. If migration is not possible, input validation and using a database user with minimal privileges can reduce risk.