CVE-2019-13086 in CSZ
Summary
by MITRE
core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/09/2023
The vulnerability identified as CVE-2019-13086 resides within the core/MY_Security.php file of CSZ CMS version 1.2.2 and earlier, representing a critical SQL injection flaw that can be exploited through a specific attack vector involving the HTTP User-Agent header. This vulnerability specifically targets the member/login/check endpoint where the application fails to properly sanitize user input, creating an opportunity for malicious actors to inject arbitrary SQL commands into the database query execution process. The flaw becomes particularly dangerous because it requires minimal user interaction beyond crafting a specific HTTP request, making it an attractive target for automated exploitation tools.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the security checking mechanism of the CMS. When the application processes login requests, it incorporates the User-Agent header value directly into SQL queries without proper escaping or parameterization, while simultaneously ignoring the csrf_csz parameter that would normally provide additional security layer. This combination creates a scenario where an attacker can manipulate the database query execution flow by injecting malicious SQL code through the User-Agent header, effectively bypassing standard authentication mechanisms and potentially gaining unauthorized access to sensitive database information.
The operational impact of this vulnerability extends beyond simple authentication bypass, as successful exploitation could lead to complete database compromise including data theft, modification of user credentials, and potential lateral movement within the affected system. Attackers could leverage this vulnerability to escalate privileges, extract user information, or even inject backdoors into the CMS infrastructure. The vulnerability's accessibility through a simple HTTP header manipulation makes it particularly concerning for environments where the CMS is exposed to untrusted networks or where automated scanning tools might discover and exploit it without significant effort. According to CWE standards, this represents a CWE-89 SQL injection vulnerability that occurs due to improper input handling and lack of proper database query parameterization.
Security professionals should consider this vulnerability in relation to ATT&CK framework techniques such as T1190 for exploit public-facing application and T1078 for valid accounts, as the successful exploitation would likely result in unauthorized access to user accounts and system data. The vulnerability's exploitation requires minimal technical skill and can be automated, making it particularly dangerous in environments where the CMS is not properly patched or monitored for such attacks. Organizations using CSZ CMS versions prior to the June 20, 2019 release should immediately implement security patches or apply mitigations to prevent exploitation, as the vulnerability affects the core authentication system and represents a fundamental security flaw in the application's database interaction mechanisms. The lack of CSRF protection combined with improper input handling creates a dangerous combination that fundamentally undermines the security posture of affected systems.