CVE-2022-29664

Vulnerability

A SQL injection vulnerability exists in CSCMS Music Portal System v4.2 in the pic_Type.php_pl_save handler. The id parameter in a POST request to /admin.php/pic/admin/type/pl_save is not properly sanitized, allowing an attacker to inject arbitrary SQL statements. The vulnerability is a time-based blind SQL injection, as demonstrated by the use of sleep(5) in the payload. The affected version is v4.2, and the attack requires administrative access to the application [1].

Exploitation

An attacker with valid admin credentials can exploit this vulnerability by sending a crafted POST request to the vulnerable endpoint. The request includes a malicious id parameter containing SQL injection payloads, such as id=7)and(sleep(5))--+. By using conditional time delays (e.g., (case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)), the attacker can extract information from the database character by character based on response timing [1].

Impact

Successful exploitation allows an attacker to perform blind SQL injection, enabling the extraction of sensitive data from the database, such as the database name (e.g., the first letter 'c' was identified). This could lead to further compromise of the application and its data, including user credentials or other confidential information [1].

Mitigation

No fix or workaround has been disclosed in the available reference. The vendor has not released a patched version as of the publication date. Users should monitor for updates from the CSCMS project and consider restricting administrative access to trusted users only [1].