| عنوان | YzmCMS 7.5 SQL Injection |
|---|
| الوصف | A SQL Injection vulnerability was discovered in YzmCMS v7.5 during the installation phase.
The issue resides in the file `/application/install/index.php`. The application retrieves the user-supplied 'siteurl' input via a POST request and processes it only with the `trim()` function. This variable is then directly concatenated into an UPDATE SQL statement without any sanitization or parameterized preparation (Prepared Statements), and executed via `$pdo->exec()`.
Defective Code:
$siteurl = trim($_POST['siteurl']);
$sql = "UPDATE `".$db_prefix."config` SET `value` = '$siteurl' WHERE `id` = 2";
$pdo->exec($sql);
An unauthenticated attacker can exploit this by manipulating the 'siteurl' parameter during the installation process. By using error-based SQL injection payloads (such as `updatexml`), the attacker can extract sensitive information from the database, including the database user, version, and administrator credentials, potentially leading to an administrative account takeover and subsequent Remote Code Execution (RCE) via backend template modifications. |
|---|
| المصدر | ⚠️ https://github.com/drose025/security/blob/main/1.md |
|---|
| المستخدم | D.Rose (UID 46535) |
|---|
| ارسال | 28/05/2026 11:19 AM (1 شهر منذ) |
|---|
| الاعتدال | 28/06/2026 09:59 AM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 374537 [YzmCMS حتى 7.5 index.php siteurl حقن SQL] |
|---|
| النقاط | 20 |
|---|