star7th ShowDoc SQL Injection Vulnerability in API Page Sort Endpoint

A SQL injection vulnerability has been identified in star7th ShowDoc versions 2.5.3 prior to 2.10.10 and 3.0.0 prior to 3.6.2. The issue resides in the 'pages' parameter of the 'server/Application/Api/Controller/PageController.class.php' file, specifically within the API Page Sort Endpoint. The vulnerability arises from improper sanitization of user input, allowing attackers to execute arbitrary SQL commands and potentially access sensitive database information. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to extract, modify, or delete database information. In this case, the vulnerability could be used to bypass authentication or access sensitive user data, such as usernames.

Reproduction

To reproduce this vulnerability, register a low-privileged user account. After logging in, create an item and then a page, saving the page to generate a page ID. Once the page is saved, send a POST request to the '/Api/Page/sort' endpoint with a payload that includes a crafted SQL injection in the 'pages' parameter, along with the 'item_id' and 'user_token' parameters. The response will contain the result of the SQL injection, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to version 3.8.1 or later, as the vendor has stated they will not backport patches to older versions.