Vvveb CMS Authenticated SQL Injection Vulnerability in User Order History Page

An authenticated SQL injection vulnerability has been identified in Vvveb CMS versions prior to 1.0.8.3. The issue occurs on the frontend user order history page, specifically at the '/user/orders' endpoint. Normal frontend users can exploit this vulnerability by manipulating the 'order_by' and 'direction' request parameters. These parameters are directly concatenated into the SQL 'ORDER BY' clause without proper validation or sanitization, allowing attacker-controlled input to interfere with the SQL query execution.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, where an attacker can manipulate SQL queries executed by the application. This could potentially lead to unauthorized data access or modification, depending on the application's database permissions and structure.

Reproduction

To reproduce this vulnerability, log in as a normal frontend user and navigate to the '/user/orders' page. Once there, the 'order_by' and 'direction' parameters can be manipulated to inject SQL payloads. For example, injecting a subquery that uses the 'SLEEP' function into the 'order_by' parameter will cause the application to return a SQL syntax error, demonstrating that the injected SQL was executed.

Remediation

Users are advised to update to Vvveb CMS version 1.0.8.3 or later. For those unable to update, a temporary workaround is to manually validate and sanitize the 'order_by' and 'direction' parameters before they are used in SQL queries.