CVE-2020-21486 in PHPOKinfo

Summary

by MITRE • 06/20/2023

SQL injection vulnerability in PHPOK v.5.4. allows a remote attacker to obtain sensitive information via the _userlist function in framerwork/phpok_call.php file.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 12/10/2024

This vulnerability exists within PHPOK version 5.4, a content management system that falls under the category of web application frameworks. The flaw is classified as a SQL injection vulnerability that specifically targets the _userlist function located in the framework/phpok_call.php file. This type of vulnerability represents a critical security weakness that allows unauthorized parties to manipulate database queries through malicious input. The vulnerability stems from inadequate input validation and sanitization within the application's codebase, creating an entry point for attackers to execute arbitrary SQL commands against the underlying database system. According to the CWE taxonomy, this corresponds to CWE-89, which specifically addresses SQL injection flaws where untrusted data is incorporated into SQL commands without proper sanitization or parameterization.

The operational impact of this vulnerability is severe as it enables remote attackers to extract sensitive information from the database without requiring authentication or privileged access. Attackers can exploit this weakness to retrieve user credentials, personal data, system configurations, and other confidential information stored within the application's database. The vulnerability affects the core functionality of user management within PHPOK, potentially allowing for privilege escalation, data theft, or complete system compromise. This type of vulnerability aligns with ATT&CK technique T1071.004, which covers application layer protocol manipulation, and T1046, representing network service scanning that can lead to database exploitation. The attack vector is particularly dangerous because it requires no prior access to the system and can be executed remotely through web-based interfaces.

The technical exploitation of this vulnerability occurs when user input is directly incorporated into SQL query construction without proper parameterization or input validation. The _userlist function in framework/phpok_call.php appears to accept parameters that are then used to build database queries, creating an opportunity for attackers to inject malicious SQL code. This flaw violates fundamental security principles of input sanitization and prepared statements, which are essential for preventing SQL injection attacks. The vulnerability can be exploited through crafted HTTP requests that manipulate parameters passed to the _userlist function, potentially allowing attackers to perform UNION-based attacks, error-based exploitation, or time-based blind SQL injection techniques. Organizations should note that this vulnerability demonstrates poor secure coding practices and highlights the importance of implementing proper input validation, parameterized queries, and regular security code reviews. The impact extends beyond simple data theft as it can lead to complete system compromise, data corruption, and potential regulatory compliance violations under various data protection frameworks such as GDPR or HIPAA.

Reservation

08/13/2020

Disclosure

06/20/2023

Moderation

accepted

CPE

ready

EPSS

0.00869

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!