WBCE CMS User Management Module SQL Injection Vulnerability Allowing Database Compromise

A SQL injection vulnerability has been identified in the user management module of WBCE CMS, affecting versions through 1.6.4. This vulnerability allows low-privileged authenticated users with permissions to modify user profiles to execute arbitrary SQL queries. The issue arises in the 'admin/users/save.php' script, which improperly handles the 'groups[]' parameter from the user edit form. Exploitation of this vulnerability could lead to a full database compromise, bypassing all security controls.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which can be used to read, modify, or delete any database information. This includes accessing session data, password hashes, and personal user details. The vulnerability could also be exploited to execute time-based blind SQL injection, confirming the execution of arbitrary SQL commands.

Reproduction

To reproduce this vulnerability, log in as a low-privileged user with 'Users - Modify' permissions. Navigate to the user management section and select a user to edit. Once the user edit form is open, intercept the POST request sent to 'admin/users/save.php' when the 'Save' button is clicked. Modify the 'groups[]' parameter with a payload that exploits the SQL injection vulnerability, such as one that uses the 'SLEEP' function to demonstrate the injection. Send the modified request and verify the injection by checking for the expected delay in the response, indicating that the SQL injection was successful.

Remediation

Users can update to WBCE CMS version 1.6.5, which addresses this vulnerability by implementing proper validation and sanitization of the 'groups[]' parameter in the user management module.