IdeaCMS SQL Injection Vulnerability in Article and Goods Functions

A critical SQL injection vulnerability has been identified in IdeaCMS versions through 1.7. The issue arises in the Article and Goods functions within the file '/api/v1.index.article/getList.html'. The vulnerability is triggered by manipulating the 'field' parameter, allowing remote attackers to inject malicious SQL code. This could lead to unauthorized access to database information, such as admin credentials, and potentially allow for further exploitation of the application.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could result in unauthorized data access, data modification, or administrative control over the database. In this case, it was possible to extract the credentials of the mall administrator.

Reproduction

To reproduce this vulnerability, send a request to the '/api/v1.index.article/getList.html' or '/api/v1.index.goods/getList.html' endpoints. Include the 'field' parameter with a value that exploits the SQL injection vulnerability, such as a payload that concatenates SQL query results. The injection can be confirmed by successfully extracting data, such as admin credentials, from the database.

Remediation

Upgrade to IdeaCMS version 1.8, which addresses this vulnerability. The patched version is available for download on Gitee.