PHPJabbers Simple CMS SQL Injection Vulnerability

A SQL injection vulnerability has been identified in PHPJabbers Simple CMS version 5.0. The issue resides in the 'column' parameter of the index.php endpoint, allowing remote attackers to manipulate database queries. Exploitation of this vulnerability could lead to unauthorized extraction or modification of database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the '/simplecms/index.php' endpoint with the 'column' parameter set to a crafted SQL payload. The request should include the 'action' parameter set to 'pjActionGetFile', along with the 'controller', 'direction', 'page', and 'rowCount' parameters. The injected SQL payload can be crafted to exploit either boolean-based blind or error-based SQL injection techniques.