CVE-2022-29681

Vulnerability

CSCMS Music Portal System v4.2 contains a blind SQL injection vulnerability in the id parameter of the /admin.php/Links/del endpoint. The flaw resides in the sys_Links.php_del function, which fails to sanitize the id parameter when deleting a friendship link. An attacker must be logged in as an administrator and have at least one friendship link added to reach the vulnerable code path [1].

Exploitation

An authenticated administrator sends a POST request to /admin.php/Links/del with the id[] parameter containing a malicious SQL payload. The reference demonstrates a time-based blind injection using sleep(5) to confirm the vulnerability, and a conditional payload to extract the database name character by character (e.g., (case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)) [1].

Impact

Successful exploitation allows an attacker to perform blind SQL injection, enabling them to extract sensitive information from the database, such as the database name (cscms). This could lead to further compromise of the application and its data [1].

Mitigation

No official patch or fixed version has been released as of the publication date. The vendor has not addressed the issue in the referenced GitHub issue. As a workaround, restrict administrative access to trusted users and implement input validation on the id parameter to reject unexpected data types [1].