| Titolo | YzmCMS 7.5 SQL Injection |
|---|
| Descrizione | A SQL Injection vulnerability was discovered in YzmCMS v7.5 during the installation phase.
The issue resides in the file `/application/install/index.php`. The application retrieves the user-supplied 'siteurl' input via a POST request and processes it only with the `trim()` function. This variable is then directly concatenated into an UPDATE SQL statement without any sanitization or parameterized preparation (Prepared Statements), and executed via `$pdo->exec()`.
Defective Code:
$siteurl = trim($_POST['siteurl']);
$sql = "UPDATE `".$db_prefix."config` SET `value` = '$siteurl' WHERE `id` = 2";
$pdo->exec($sql);
An unauthenticated attacker can exploit this by manipulating the 'siteurl' parameter during the installation process. By using error-based SQL injection payloads (such as `updatexml`), the attacker can extract sensitive information from the database, including the database user, version, and administrator credentials, potentially leading to an administrative account takeover and subsequent Remote Code Execution (RCE) via backend template modifications. |
|---|
| Fonte | ⚠️ https://github.com/drose025/security/blob/main/1.md |
|---|
| Utente | D.Rose (UID 46535) |
|---|
| Sottomissione | 28/05/2026 11:19 (1 mese fa) |
|---|
| Moderazione | 28/06/2026 09:59 (1 month later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 374537 [YzmCMS fino a 7.5 index.php siteurl iniezione SQL] |
|---|
| Punti | 20 |
|---|