Hoosk CMS SQL Injection Vulnerability in Install Component

A SQL injection vulnerability exists in Hoosk CMS version 1.7.1, specifically within the install index.php component. This vulnerability allows remote attackers to manipulate SQL queries and potentially access sensitive information from the database. The issue arises because the siteName parameter is directly appended to the SQL statement without proper validation or sanitization.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to the /install/index.php endpoint with the siteName parameter included. The parameter can be crafted to inject SQL payloads, taking advantage of the application's lack of input filtering. After capturing the request, it can be saved as a text file and used with sqlmap, a popular SQL injection automation tool, to exploit the vulnerability.