CVE-2022-25505

Vulnerability

Taocms v3.0.2 contains a SQL injection vulnerability in the \include\Model\Category.php file [1]. The id parameter is not sanitized in multiple functions (update, getlist, updatelist), allowing injection via the id parameter when editing a category in the admin panel. This affects all installations of Taocms 3.0.2.

Exploitation

An attacker with access to the admin panel can intercept the edit category request (after clicking "Manage section", then "Edit", then "Submit") using Burp Suite and modify the id parameter to include a time-based blind SQL injection payload, for example and if(ascii(substr(database(),1,1))=116,sleep(2),0) [1]. The request triggers three SQL queries, each delayed, resulting in a cumulative delay observable by the attacker.

Impact

Successful exploitation allows an attacker to extract sensitive information from the database using time-based blind injection, potentially compromising the entire database. The attack requires admin-level privileges.

Mitigation

As of the publication date (2022-03-21), no official patch has been released. The suggested fix is to filter the id parameter in the affected functions [1]. Users are advised to restrict admin panel access or apply input sanitization manually.