CVE-2022-23387

Vulnerability

The vulnerability is a blind SQL injection in taocms version 3.0.2. It exists in the Comment Update functionality accessed via the action=comment&ctrl=update endpoint in /admin/admin.php. The GET/POST parameter id is not sanitized before being used in SQL queries, allowing an attacker to inject SQL code [2]. The affected code path involves files include/Model/Comment.php and include/Db/Mysql.php [2].

Exploitation

An attacker must be authenticated to the admin panel. The exploitation requires sending a crafted POST request to /admin/admin.php with parameters such as action=comment&id=5)and(sleep(10))--+&ctrl=update&name=a. This injects a time-based payload into the id field, causing a detectable delay (e.g., sleep(10)) if the query executes successfully. An attacker can then iteratively extract data character by character using conditional delay queries [2].

Impact

Successful exploitation allows an attacker to extract arbitrary data from the database, potentially including sensitive information such as user credentials, session tokens, or application settings. This is a blind injection—the attacker does not see error messages but can infer information based on response timing [1][2].

Mitigation

As of the published references, no patched version has been released. The vendor repository (taogogo/taocms) does not show a fix for this issue [1]. Users should upgrade to a version beyond 3.0.2 if a patch becomes available, or restrict access to the admin panel until a fix is deployed.