CVE-2022-29661

Vulnerability

CSCMS Music Portal System v4.2 is vulnerable to a blind SQL injection in the /admin.php/pic/admin/type/del endpoint. By manipulating the id parameter in a POST request when deleting an album from the recycle bin, an authenticated administrator can inject malicious SQL statements. The issue is present in the pic_Type.php_del function and affects version 4.2 [1].

Exploitation

To exploit this vulnerability, an attacker must first log in with valid administrator credentials. After creating an album, the attacker sends a POST request to /admin.php/pic/admin/type/del with a crafted id parameter, such as id=4)and(sleep(5))--+. The payload results in a 5-second database delay, confirming the blind SQL injection [1].

Impact

A successful blind SQL injection allows the attacker to extract the entire database schema, including sensitive data such as usernames and passwords. The attacker can use timing-based techniques to retrieve information byte by byte. The vulnerability is limited to authenticated administrators but exposes the database to full compromise [1].

Mitigation

The vendor has not released a patched version as of the publication date (2022-05-26). Administrators should restrict access to the admin panel, monitor for suspicious POST requests to /admin.php/pic/admin/type/del, and consider applying input validation or a web application firewall as a temporary workaround until an official fix is available [1].