PbootCMS SQL Injection Vulnerability in Member Login Component

A SQL injection vulnerability has been identified in PbootCMS versions prior to 3.2.12, specifically within the Member Login component. The issue arises in the checkUsername function of the MemberController.php file, where user-supplied input for the username parameter is directly concatenated into SQL queries without proper sanitization or use of parameterized statements. This flaw allows remote, unauthenticated attackers to manipulate the SQL command and bypass authentication, gaining access to the application as an arbitrary user.

Impact

Exploitation of this vulnerability allows for unauthorized login as any frontend user, potentially leading to account takeover and misuse of member privileges.

Reproduction

To reproduce this vulnerability, deploy PbootCMS version 3.2.12 and ensure that at least one frontend member account exists. Then, send a POST request to the /member/login endpoint with a crafted username that exploits the SQL injection vulnerability, along with a password and checkcode. The injection bypasses authentication, granting access to the member account.

Remediation

It is recommended to replace the vulnerable SQL query construction method with prepared statements that properly bind parameters, and to review the entire codebase for similar raw string SQL constructions that could introduce injection vulnerabilities.