CVE-2022-29667

Vulnerability

CSCMS Music Portal System v4.2 contains a SQL injection vulnerability in /admin.php/pic/admin/pic/hy, specifically in the pic_Pic.php_hy file when restoring deleted photos from the trash. The id parameter is not properly sanitized before being used in a SQL query, allowing an attacker to inject malicious SQL commands. This affects v4.2 of the software as disclosed in reference [1].

Exploitation

An attacker must be authenticated as an administrator to access the affected admin endpoint. The attack is performed by sending a crafted GET request to /admin.php/pic/admin/pic/hy?id=3)and(sleep(5))--+ with appropriate cookies. The manipulation occurs during the restoration of a deleted photo. The id parameter is injected with a time-based blind SQL injection payload. The attacker can observe a delay of 5 seconds if the injected condition is true, confirming the vulnerability. By adjusting the payload, the attacker can extract database content character by character (e.g., detecting that the first letter of the database name is "c") as shown in reference [1].

Impact

Successful exploitation allows an authenticated attacker to perform time-based blind SQL injection, leading to extraction of sensitive data from the database, such as user credentials or other configuration details. The impact includes information disclosure that could compromise the confidentiality of the system. The attacker is already authenticated as an admin, but the vulnerability extends the reach to the entire database content.

Mitigation

No official patch or fixed version has been published in the available references. The vendor (chshcms) has not released a security update as of the CVE publication date (2022-05-26). Administrators are advised to restrict access to the admin panel, apply input validation, or use parameterized queries. The software appears to be in an unmaintained state; migration to an alternative solution may be considered.