| Название | mingSoft MCMS 5.5.0 SQL Injection |
|---|
| Описание | MCMS contains a SQL injection vulnerability in the content listing flow. The web content list endpoint collects request parameters into a map, forwards them to the business layer, and uses a FreeMarker SQL template to render a query string with attacker-controlled values. The rendered SQL is then executed directly without parameterization.
This design allows attackers to inject arbitrary SQL fragments through parameters such as `typeids`, and potentially other interpolated fields, leading to unauthorized data access and possible modification of application data.
The vulnerable request flow starts in the public content list endpoint, where incoming HTTP parameters are converted into a `Map` using `BasicUtil.assemblyRequestMap()`. This map is passed directly into `contentBiz.list(map)`, where a SQL template associated with the `arclist` tag is loaded from the database and rendered with attacker-controlled data via `ParserUtil.rendering(map, sqlFtl)`.
Because the SQL template performs direct string interpolation using FreeMarker expressions such as `${item}`, `${content_title}`, `${content_author}`, and `${content_source}`, user input becomes part of the final SQL statement. The resulting SQL string is then executed by `tagBiz.queryForList(sql)` without prepared statements or parameter binding.
An attacker can exploit this by:
1. Sending a crafted request to the content list endpoint
2. Supplying malicious input in `typeids` or another interpolated parameter
3. Causing FreeMarker to render attacker input directly into SQL
4. Triggering execution of the resulting malicious SQL on the backend database
This is a classic SQL injection condition with a template-rendering step in the middle, not a safe dynamic query construction mechanism. |
|---|
| Источник | ⚠️ https://github.com/wing3e/public_exp/issues/4 |
|---|
| Пользователь | Winegee (UID 96308) |
|---|
| Представление | 11.03.2026 10:23 (19 дни назад) |
|---|
| Модерация | 27.03.2026 08:53 (16 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 353832 [mingSoft MCMS до 5.5.0 Web Content List Endpoint ContentAction.java list SQL-инъекция] |
|---|
| Баллы | 20 |
|---|