EasyCMS SQL Injection Vulnerability in UserAction.class.php

A SQL injection vulnerability has been identified in EasyCMS versions through 1.6, specifically in the UserAction.class.php file. The issue arises from the _order parameter, which is not properly sanitized before being included in SQL query statements. This vulnerability can be exploited remotely, without authentication, using time-based blind injection techniques. Exploitation allows attackers to bypass authentication, gain administrative privileges, and manipulate or delete sensitive database information. Additionally, the vulnerability could be leveraged to execute system commands, potentially leading to a broader compromise of the server and connected networked devices.

Impact

Successful exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could lead to unauthorized data access, data modification or deletion, and in some cases, executing system commands to gain control over the server.

Reproduction

To reproduce this vulnerability, send a POST request to the index.php file with the _order parameter manipulated to include SQL injection payloads. The request should be made to the admin user index page, and the injection can be verified by observing the application's response or using a tool like sqlmap to automate the exploitation.

Remediation

It is recommended to implement proper input validation and parameterized queries to prevent SQL injection. After applying these changes, the application should be tested to ensure the vulnerability has been successfully addressed.