Easy Hosting Control Panel SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Easy Hosting Control Panel (EHCP) version 20.04.1.b. The issue arises in the Change Settings function, where the 'id' parameter can be manipulated to execute arbitrary SQL commands. This vulnerability allows attackers to interfere with the application's database queries, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for remote SQL injection, where an attacker can execute arbitrary SQL commands on the application's database. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server under the application's database user privileges.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the 'ehcp/index.php' file with the 'id' parameter. The payload should include a SQL injection string that exploits the application's SQL query handling. Alternatively, the 'theorder' parameter can be used to achieve the same SQL injection effect by sending a POST request to the 'ehcp/?op=domainsettings' endpoint with a similar SQL injection payload.