mingSoft MCMS SQL Injection Vulnerability in Web Content List Endpoint

A SQL injection vulnerability has been identified in mingSoft MCMS versions through 5.5.0. The issue resides in the web content list endpoint, specifically within the ContentAction.java file. The vulnerability arises because the application collects request parameters and forwards them to the business layer, where they are rendered into a SQL query using FreeMarker templates. This process allows attackers to inject arbitrary SQL fragments, which are then executed directly on the database without proper parameterization. Exploitation can lead to unauthorized data access, modification of application data, and in some cases, authentication bypass.

Impact

Successful exploitation allows attackers to execute arbitrary SQL commands, potentially leading to extraction, modification, or deletion of database information. In CMS environments, this could disrupt service availability or manipulate content and user data.

Reproduction

To reproduce this vulnerability, send a request to the '/cms/content/list' endpoint with crafted 'typeids' parameter values that exploit the SQL injection flaw. The injected SQL will be executed on the backend database, allowing for data extraction or manipulation.

Remediation

Replace the vulnerable SQL template rendering with parameterized queries to prevent SQL injection. Implement strict input validation for request parameters before they are processed.