CVE-2022-27369

Vulnerability

Cscms Music Portal System v4.2 is vulnerable to a blind SQL injection in the news_News.php_hy component, specifically within the hy function of the News controller. The flaw occurs when restoring articles from the recycle bin; the id parameter is not properly sanitized before being used in a SQL query. This allows an authenticated administrator to inject malicious SQL statements. The vulnerability is present in version 4.2 [1].

Exploitation

An attacker must have administrator-level access to the Cscms backend. The exploitation sequence involves: logging in as admin, adding a news article, deleting it to the recycle bin, and then sending a crafted GET request to /admin.php/news/admin/news/hy with a malicious id parameter. For example, the payload id=5)and(sleep(5))--+ causes a 5-second delay, confirming the injection. The attacker can then use time-based blind SQL injection to extract data character by character [1].

Impact

Successful exploitation allows an attacker to perform blind SQL injection, enabling them to extract sensitive information from the database, such as the database name (e.g., the first letter 'c' was identified). This could lead to full compromise of the database, including user credentials and other confidential data. The attack does not require special privileges beyond admin access, but admin credentials are needed [1].

Mitigation

As of the publication date (2022-04-15), no official patch or fixed version has been released for Cscms Music Portal System v4.2. The vendor has not provided a workaround. Users should consider applying input sanitization to the id parameter in the hy function or restrict access to the recycle bin functionality until a patch is available [1].