Placeto CMS SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Placeto CMS Alpha version 4. This vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. Exploitation can be done by sending GET requests to the admin/edit.php endpoint with crafted 'page' values. The vulnerability can be exploited using boolean-based blind, time-based blind, or union-based SQL injection techniques to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to the admin/edit.php page with a crafted 'page' parameter. The injection can be performed using boolean-based blind, time-based blind, or union-based SQL injection techniques. For example, a boolean-based blind injection could involve a payload that tests for a true/false condition in the SQL query.