Kohana KodiCMS SQL Injection Vulnerability in Search API Endpoint

A SQL injection vulnerability has been identified in Kohana KodiCMS versions through 13.82.135. The issue resides in the Search API Endpoint, specifically within the 'like' function of 'cms/modules/pages/classes/kodicms/model/page.php'. The vulnerability allows for remote exploitation by manipulating the 'keyword' argument, leading to unauthorized SQL command execution. This flaw arises because user input is improperly sanitized before being incorporated into SQL queries, enabling attackers to inject malicious SQL payloads.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to data exfiltration, authentication bypass, and in some cases, remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated user or anyone with a valid API key can access the '/backend/api-pages.search' endpoint. The 'search' parameter can be manipulated to include SQL injection payloads. After the injection, the response can be analyzed to confirm successful exploitation, such as extracting database information or bypassing search conditions.

Remediation

The recommended fix is to replace the vulnerable code in 'cms/modules/pages/classes/kodicms/model/page.php' by removing the 'DB::expr()' wrapper from user-controlled input and implementing proper input validation and sanitization. Additionally, using parameterized queries consistently throughout the application and applying the principle of least privilege for database accounts can help mitigate such vulnerabilities.