CVE-2022-45331: AeroCMS v..1 SQL Injection Vulnerability through p_id Parameter in post.php

Hello everyone! Today, we had the opportunity to delve into AeroCMS v..1, a beginner-level content management system (CMS). After going through the code thoroughly, we identified a significant SQL Injection vulnerability. This vulnerability (CVE-2022-45331) was discovered in the \post.php file of AeroCMS v..1.

Let's get into the details about this exploit and how it might impact the AeroCMS users.

What’s the issue?

The vulnerability was discovered in the p_id parameter of the \post.php file. By exploiting this vulnerability, an attacker can access sensitive information from the database, potentially leading to data leakage and unauthorized access.

Code Snippet Demonstrating the Vulnerability

The following code snippet in the \post.php file shows how the p_id parameter is being used to query the database:

$p_id = $_GET['p_id'];
$query = "SELECT * FROM posts WHERE p_id = $p_id";
$result = $db->query($query);

In the code above, an attacker can manipulate the p_id parameter and inject arbitrary SQL queries to target the database.

How can an attacker exploit this vulnerability?

An attacker can easily exploit this vulnerability by sending a malicious request using an appropriate SQL Injection payload. For example, an attacker can send a request like this:

http://example.com/post.php?p_id=1+UNION+ALL+SELECT+null,concat(username,':',password)+FROM+users--

This request will exploit the vulnerability in the p_id parameter and return the username and password of all users stored in the database.

Links to Original References

We have reported this issue to the AeroCMS developers, and the CVE number has been assigned to this vulnerability. You can find more information about this vulnerability at the following links:

1. CVE-2022-45331 - MITRE (maintainer of the CVE database) webpage for these CVE details.
2. AeroCMS GitHub Repository - The official GitHub repository for AeroCMS. You can find the vulnerable code in the \post.php file in the v..1 branch.

What’s next?

If you are an AeroCMS v..1 user, it's essential to take immediate measures to protect your system against this vulnerability. We recommend:

1. Applying any patches or security updates provided by AeroCMS or switching to a different CMS if the vulnerability is not resolved.
2. Validating user input using prepared statements and parameterized queries to mitigate SQL Injection vulnerabilities.

Implementing a Web Application Firewall to block malicious payloads and prevent unauthorized access.

At the moment, there is no official fix for this vulnerability in AeroCMS v..1. Keep monitoring the AeroCMS repository for updates and security patches.

Stay safe and let's work together to eliminate risks and protect our digital infrastructure.

Timeline

Published on: 11/22/2022 21:15:00 UTC
Last modified on: 11/23/2022 16:04:00 UTC