| タイトル | YzmCMS 7.5 SQL Injection |
|---|
| 説明 | A SQL Injection vulnerability was discovered in YzmCMS v7.5 during the installation phase.
The issue resides in the file `/application/install/index.php`. The application retrieves the user-supplied 'siteurl' input via a POST request and processes it only with the `trim()` function. This variable is then directly concatenated into an UPDATE SQL statement without any sanitization or parameterized preparation (Prepared Statements), and executed via `$pdo->exec()`.
Defective Code:
$siteurl = trim($_POST['siteurl']);
$sql = "UPDATE `".$db_prefix."config` SET `value` = '$siteurl' WHERE `id` = 2";
$pdo->exec($sql);
An unauthenticated attacker can exploit this by manipulating the 'siteurl' parameter during the installation process. By using error-based SQL injection payloads (such as `updatexml`), the attacker can extract sensitive information from the database, including the database user, version, and administrator credentials, potentially leading to an administrative account takeover and subsequent Remote Code Execution (RCE) via backend template modifications. |
|---|
| ソース | ⚠️ https://github.com/drose025/security/blob/main/1.md |
|---|
| ユーザー | D.Rose (UID 46535) |
|---|
| 送信 | 2026年05月28日 11:19 (1 月 ago) |
|---|
| モデレーション | 2026年06月28日 09:59 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 374537 [YzmCMS 迄 7.5 index.php siteurl SQLインジェクション] |
|---|
| ポイント | 20 |
|---|