CVE-2022-23380

Vulnerability

Taocms version 3.0.2 contains a SQL injection vulnerability in the background admin panel. The flaw exists in the id parameter when accessing admin.php with parameters action=admin&ctrl=edit. The vulnerable code path includes include/Model/Admin.php::edit, include/Db/Mysql.php::getlist, and include/Db/Mysql.php::query. An attacker can inject SQL commands via the id parameter, as demonstrated by appending and(sleep(5))-- to cause a time delay [1].

Exploitation

An attacker requires network access to the taocms admin panel and must be authenticated as an administrator to reach the vulnerable action=admin&ctrl=edit page. To exploit, the attacker sends a crafted GET request to /admin/admin.php?action=admin&id=2+and(sleep(5))--+&ctrl=edit, where the id parameter includes a time-based blind SQL injection payload. The server response time indicates whether the injection is successful, allowing extraction of data character by character [1].

Impact

Successful exploitation allows an authenticated attacker with admin privileges to execute arbitrary SQL queries on the backend database. This can lead to disclosure of sensitive information such as user credentials, session data, or other database contents. The vulnerability is a blind SQL injection, meaning the attacker does not directly see query results but can infer them through response timing or error messages [1].

Mitigation

As of the published reference (March 2022), no patched version has been released. Users are advised to monitor the taocms repository for updates [1]. Until a fix is available, restricting access to the admin panel to trusted users and applying input sanitization on the id parameter are potential temporary workarounds.