EasyCMS SQL Injection Vulnerability in RbacnodeAction.class.php Prior to 1.6

A SQL injection vulnerability has been identified in EasyCMS versions prior to 1.6. The issue resides in the RbacnodeAction.class.php file within the Request Parameter Handler component. The vulnerability is triggered by manipulating the _order parameter, which is not properly sanitized before being included in SQL query statements. This flaw allows remote attackers to execute SQL injection attacks, potentially leading to unauthorized access to database information, modification or deletion of data, and execution of system commands to gain control over the server.

Impact

Exploitation of this vulnerability allows attackers to perform time-based blind SQL injection, bypass authentication, and gain database permissions. This could lead to unauthorized access to sensitive data, manipulation of database information, and execution of system commands, resulting in a complete compromise of the server.

Reproduction

To reproduce this vulnerability, send a POST request to the index.php file with the RbacnodeAction class. Include the _order parameter with a crafted SQL payload that exploits the SQL injection vulnerability. The injection can be verified by using SQL injection testing tools such as sqlmap, which can automate the exploitation process and demonstrate the vulnerability by extracting database information or executing commands.

Remediation

It is recommended to implement proper input validation and parameterized queries to prevent SQL injection. Update the affected component to a version that has addressed this vulnerability.