CVE-2023-50162

Vulnerability

A SQL injection vulnerability exists in EmpireCMS v7.5 within the DoExecSql function. The application passes the content of the query POST parameter directly to the DoRunQuery function without any sanitization or filtering [1]. This allows an attacker to execute arbitrary SQL statements. The vulnerability is exploitable when the MySQL server's secure_file_priv variable is set to null (i.e., file operations are allowed) [1].

Exploitation

An attacker must first have access to the EmpireCMS backend (requires valid administrator credentials). Once authenticated, the attacker can craft a POST request containing a malicious SQL statement to the DoExecSql endpoint. For example, the statement select '' into dumpfile '/path/to/webroot/evil.php'; writes a web shell to the server. The path must be within the webroot for the shell to be accessible [1].

Impact

Successful exploitation allows an attacker to write an arbitrary PHP file (or other file types) to the server's filesystem. This can lead to remote code execution (RCE) with the privileges of the web server user, enabling the attacker to execute system commands, further compromise the application, and potentially gain access to sensitive information [1].

Mitigation

The official fix is not yet available in the provided references. The recommended mitigation is to ensure the MySQL secure_file_priv variable is set to a non-null value (e.g., an empty directory or a specific allowed path) to prevent file write operations via SQL [1]. Additionally, input validation and parameterized queries should be implemented for the DoExecSql function.