FastCMS SQL Injection Vulnerability in Article List API

A critical SQL injection vulnerability has been identified in FastCMS versions through 0.1.5. The issue resides in the '/api/client/article/list' and '/api/client/article/list/open' endpoints, where the 'orderBy' parameter is manipulated to execute arbitrary SQL commands. This vulnerability can be exploited remotely, and the injection is time-based, allowing an attacker to extract information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the application with a regular account to obtain an authorization token. Then, send a GET request to the '/api/client/article/list' or '/api/client/article/list/open' endpoint, including the 'orderBy' parameter. The parameter can be crafted to exploit the SQL injection vulnerability, such as using conditional statements that introduce a delay, confirming the injection's success.

Remediation

It is recommended to implement proper validation and sanitization of the 'orderBy' parameter to prevent SQL injection attacks. This could involve whitelisting acceptable values or using prepared statements that separate SQL logic from data.