SeaCMS SQL Injection Vulnerability in admin_video.php

A SQL injection vulnerability has been identified in the SeaCMS backend video management module, affecting versions through 13.3. The issue arises in the admin_video.php file, where the e_id parameter is manipulated, leading to unauthorized SQL query modifications. This vulnerability is particularly critical as it occurs in the backend, where SQL security checks are disabled, allowing for exploitation via UNION-based and time-based blind SQL injection techniques. The vulnerability requires backend administrator access to exploit.

Impact

Exploitation of this vulnerability allows for SQL injection attacks that can bypass authentication, extract or manipulate data, and potentially escalate privileges by accessing other admin accounts.

Reproduction

To reproduce this vulnerability, log into the SeaCMS backend as an administrator. Navigate to the video management module and send a POST request to admin_video.php with the action parameter set to 'lockall', 'restoreall', or 'delall'. Include the e_id parameter as an array with values that can be exploited, such as '-1) UNION SELECT SLEEP(3),2--' for time-based blind SQL injection. The absence of a response delay indicates a failed injection attempt.

Remediation

Sanitize the e_id parameter by validating and cleaning each array element before using it in SQL queries. This can be done by applying intval() to ensure only valid IDs are processed. Update all affected functions to implement this sanitization.