Gửi #771238: SSCMS V7.4.0 DDL Injection
| tiêu đề | SSCMS V7.4.0 DDL Injection |
|---|---|
| Mô tả | This is a high-severity SQL injection issue in the SitesAdd workflow. The user-controlled field tableHandWrite is passed into dynamic DDL construction (CREATE TABLE and CREATE INDEX) without strict identifier allowlist validation. The current protection is blacklist-style filtering plus identifier wrapping, which is not sufficient for SQL identifier contexts. As a result, crafted input can break SQL structure and trigger unintended schema operations,also can use time blind injection to achieve SQL |
| Nguồn | ⚠️ https:/ |
| Người dùng | Saul1213 (UID 94577) |
| Đệ trình | 04/03/2026 09:49 (cách đây 3 các tháng) |
| Kiểm duyệt | 15/03/2026 19:51 (11 days later) |
| Trạng thái | được chấp nhận |
| Mục VulDB | 351157 [SSCMS 7.4.0 DDL SitesAddController.Submit.cs tableHandWrite Tiêm SQL] |
| điểm | 20 |