WCMS 11 SQL Injection Vulnerability in AnonymousController.php

A critical SQL injection vulnerability has been identified in WCMS version 11. The issue arises in the 'app/controllers/AnonymousController.php' file, specifically within the 'setLogin' function. The vulnerability is triggered by manipulating the 'mobile_phone' parameter in the 'anonymous/setlogin' interface, allowing remote attackers to inject malicious SQL statements. This could lead to severe consequences such as unauthorized access to the website and theft of sensitive data. Other parameters may also be vulnerable.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to 'http://wcms.com/index.php?anonymous/setlogin' with the 'mobile_phone' parameter containing a crafted value that includes SQL injection payloads. The request should include a valid session cookie.

Remediation

It is recommended to filter the 'mobile_phone' parameter value thoroughly and to use prepared statements for SQL queries to prevent direct concatenation of parameters into SQL commands.