CVE-2021-46204

Vulnerability

Taocms version 3.0.2 suffers from two distinct vulnerabilities. An arbitrary file read vulnerability exists via the path parameter, allowing an attacker to read arbitrary files on the server [1]. Additionally, a SQL injection vulnerability is present in the update() method in taocms\include\Model\Article.php at line 33. The incoming SQL statement in the update() method does not use intval to process the id parameter, enabling blind SQL injection [1]. The Link.php extends Article, so the vulnerable code path is reachable when editing a link.

Exploitation

For the SQL injection, an attacker needs to be authenticated or have the ability to trigger the update() method via the management interface. The proof of concept shows that by editing a link and setting the id parameter to 2)and+sleep(5)--+, a time-based blind SQL injection can be performed [1]. The attacker can manipulate the id parameter in the request to inject SQL commands. For the file read, an attacker can provide a malicious path parameter to read arbitrary files without authentication.

Impact

Successful exploitation of the SQL injection can lead to unauthorized access, modification, or disclosure of database contents, potentially compromising the entire application's data [1]. The arbitrary file read vulnerability allows an attacker to read sensitive files from the server, such as configuration files containing credentials or other sensitive information, leading to further compromise.

Mitigation

As of the publication date (2022-01-19), no fixed version has been released for Taocms 3.0.2. Users should monitor the vendor's repository for patches. Until a fix is available, it is recommended to restrict access to the management interface, implement input validation (e.g., use intval for integer parameters), and apply web application firewall rules to block malicious payloads.