CVE-2022-29682

Vulnerability

CSCMS Music Portal System v4.2 contains a blind SQL injection vulnerability in the id parameter of the /admin.php/vod/admin/topic/del endpoint. The flaw resides in the vod_Topic.php_del file and is triggered when an authenticated administrator deletes a video theme. The id parameter is directly concatenated into SQL queries without proper sanitization, allowing an attacker to inject arbitrary SQL commands. Affected version: v4.2 [1].

Exploitation

An attacker must first log in as an administrator and have at least one video theme created. They then send a POST request to /admin.php/vod/admin/topic/del with a crafted id parameter containing SQL injection payloads. For example, id=(sleep(5)) causes a 5-second delay, confirming the injection. The attacker can then use blind SQL injection techniques, such as substr((select database()),1,1)='C', to extract information character by character based on response timing [1].

Impact

Successful exploitation allows an authenticated attacker to perform blind SQL injection, enabling them to extract sensitive data from the database, such as the database name, table structures, and potentially user credentials or other confidential information. The attack does not directly provide remote code execution but can lead to further compromise of the application and its data [1].

Mitigation

As of the publication date (2022-05-26), no official patch or fixed version has been released by the vendor. The project appears to be unmaintained. Mitigation requires manual code review and remediation, such as using parameterized queries or prepared statements for the id parameter, and validating user input. Administrators should restrict access to the admin panel and monitor for suspicious activity [1].