SeaCMS SQL Injection Vulnerability Allowing Arbitrary Code Execution

A SQL injection vulnerability has been identified in SeaCMS versions through 13.2. This vulnerability allows remote attackers to execute arbitrary code by exploiting the DoTranExecSql parameter in the phome.php component. The issue arises because the application fails to properly sanitize user input, enabling the injection of malicious SQL commands that can be executed on the database.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server where SeaCMS is hosted.

Reproduction

To reproduce this vulnerability, send a POST request to the phome.php component with the DoTranExecSql parameter. The 'mydbname' parameter must be set to an existing database name. The Ebak_ClearAddsData() method should be called first to remove escape characters from the parameters. Once the parameters are set, the Ebak_DoRunQuery() function will execute the injected SQL statement, allowing for code execution on the server.

Remediation

To address this vulnerability, SeaCMS should implement parameterized queries to separate user input from SQL commands, validate and sanitize user input to prevent injection of special characters, and assign minimal database permissions to limit the potential impact of an attack.