EyouCMS SQL Injection Vulnerability in Sort Parameter

A SQL injection vulnerability has been identified in EyouCMS versions through 1.7.9. The issue arises in the 'GetSortData' function within 'application/common.php', where the 'sort_asc' parameter is improperly validated before being appended to the SQL 'ORDER BY' clause. This flaw allows remote, unauthenticated attackers to manipulate the sorting parameter and execute arbitrary SQL commands, potentially leading to database information disclosure, including admin credentials.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, with the potential to extract any database information, such as admin usernames and password hashes. This could be combined with offline hash cracking to gain full access to the server.

Reproduction

To reproduce this vulnerability, send a GET request to the frontend article list page with the 'sort_asc' parameter set to a crafted value that includes SQL injection payloads. If the server response is delayed, the injection point is confirmed. This vulnerability can also be exploited using 'sqlmap' to automate the injection and extraction of database information, including admin credentials.

Remediation

A pull request is available that adds whitelist validation for the 'sort_asc' parameter to prevent SQL injection. This pull request can be found in the EyouCMS repository on Gitee.