Subrion CMS Privilege Escalation Vulnerability in SQL Query Tool

A vulnerability in Subrion CMS version 4.2.1 allows authenticated administrators or moderators to execute unrestricted SQL queries through the built-in 'Run SQL Query' feature in the SQL Tool admin panel. This oversight enables moderators, who typically have limited permissions, to perform high-privilege operations such as altering database users and executing Data Definition Language (DDL) commands. As a result, a moderator could escalate privileges to gain equivalent access to the MySQL root user, potentially leading to a complete takeover of the database.

Impact

Exploitation of this vulnerability could allow a moderator to gain full MySQL root-equivalent access, create or delete database users, and remove entire database tables.

Reproduction

To reproduce this vulnerability, log into Subrion CMS 4.2.1 with a moderator account. Navigate to 'Settings', then 'Database', and select 'SQL Tool'. From here, execute high-privilege SQL commands such as 'CREATE USER', 'GRANT ALL PRIVILEGES', and 'DROP USER'. The absence of restrictions on the SQL query execution for moderator roles confirms the vulnerability.

Remediation

It is recommended to enforce role-based query restrictions, preventing moderators from executing high-privilege SQL commands. Additionally, implementing a whitelist-based query filter to allow only safe SQL statements could mitigate this vulnerability.