CVE-2022-29685

Vulnerability

CSCMS Music Portal System v4.2 is vulnerable to a blind SQL injection attack in the id parameter of the /admin.php/User/level_sort endpoint. The vulnerability resides in the sys_User.php_level_sort function, which fails to sanitize user input. An attacker with an active admin session can inject malicious SQL payloads via the xid POST parameter, leading to time-based blind SQL injection [1].

Exploitation

An attacker must first authenticate as an admin and obtain a valid session cookie. The exploit sends a POST request to /admin.php/User/level_sort with a crafted xid parameter, such as xid[1]=(sleep(5)). If the server delays for 5 seconds, the injection is successful. The attacker can then use conditional time-based payloads to extract database contents character by character, e.g., by testing ASCII values of substrings [1].

Impact

Successful exploitation allows an authenticated admin to extract sensitive information from the database, such as the database name (e.g., "cscms"). This could lead to further compromise of the application and its data, including user credentials and other confidential records. The attack does not require special privileges beyond admin access [1].

Mitigation

As of the published date, no official patch or fix has been released for CVE-2022-29685. The vendor has not addressed the issue in the available references [1]. Mitigation measures include restricting admin access to trusted users only, implementing strict input validation and parameterized queries for the affected endpoint, and monitoring for suspicious requests. The vulnerable version should be upgraded once a patch becomes available.