FOXCMS Time-Based Blind SQL Injection Vulnerability in installdb.php

Vulnerability

A time-based blind SQL injection vulnerability has been identified in FOXCMS versions through 1.25. The issue arises in the installdb.php file, where the url_prefix, domain, and my_website POST parameters are directly appended to SQL statements without adequate input sanitization. This vulnerability allows attackers to inject malicious SQL code that includes time-delay functions, such as SLEEP(). By monitoring the application's response times, attackers can deduce information from the database, such as database names, table structures, and other sensitive data, which could potentially lead to a complete database compromise.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries and infer database information based on the application's response time.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FOXCMS Time-Based Blind SQL Injection Vulnerability in installdb.php

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating