Saurus CMS Community Edition SQL Injection Vulnerability Leading to Remote Code Execution

A critical SQL injection vulnerability has been identified in Saurus CMS Community Edition version 4.7.1. The issue arises in the custom DB::prepare() function, which improperly uses preg_replace() with the deprecated /e modifier to interpolate SQL query parameters. This vulnerability allows for the injection of user-controlled SQL statements, which could be exploited to execute arbitrary PHP code on the server.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to execute arbitrary PHP code on the server, leading to remote code execution.

Reproduction

The vulnerability can be reproduced by sending a crafted SQL query that exploits the vulnerable preg_replace() function in the DB::prepare() method. The injection can be done using a multibyte character sequence that bypasses the SQL parameter escaping, allowing the attacker to inject and execute arbitrary SQL commands.

Remediation

Users are advised to upgrade to a version of Saurus CMS that does not use the deprecated /e modifier in preg_replace() and to sanitize SQL parameter inputs. Additionally, upgrading to PHP 7.0 or later is recommended.