CVE-2024-25400: A Deep Dive into Subrion CMS 4.2.1 SQL Injection Vulnerability in ia.core.mysqli.php

CVE-2024-25400 is a security vulnerability identified in the Subrion Content Management System (CMS) version 4.2.1. This vulnerability allows attackers to gain unauthorized access to sensitive data stored in Subrion CMS, which can include user credentials, content, and other critical information. The vulnerability is a result of improper user input validation and can be abused by injecting malicious SQL queries. In this article, we will explore the exploit details, the vulnerable code, and a potential fix. We will also provide links to the original references and advisories related to this vulnerability.

Vulnerable Code and Exploit Details

The vulnerability is present in the ia.core.mysqli.php file of the Subrion CMS. A lack of proper input validation in the file allows malicious SQL injection, where an attacker can potentially access, modify, or delete sensitive data within the Subrion CMS database.

Below is the vulnerable code snippet extracted from the ia.core.mysqli.php file

public function query($sql)
{
    if (false === strpos($sql, 'NOSCHEMACACHE') && isset($this->_cache['schema']))
    {
        $sql = str_replace('{PREFIX}', $this->_table_prefix, $sql);
    }
    $this->_last = $this->_connection->query($sql);   
}

The vulnerability results from the lack of input validation on the $sql variable passed to the query() method, which is directly utilized in the query execution. An attacker can craft a custom SQL query and exploit the absence of input validation to perform unauthorized actions.

For instance, if an attacker successfully injects the following SQL query

'; DROP TABLE users; --

This action will delete the "users" table within the Subrion CMS database, effectively deleting all user account data including user credentials.

Mitigation and Fix

In order to fix this vulnerability, input validation must be added to the vulnerable code in the ia.core.mysqli.php file. One standard approach is to use prepared statements, which automatically filter user inputs to prevent SQL injection attacks.

To implement the prepared statement approach, the existing vulnerable code can be modified as follows:

public function query($sql)
{
    if (false === strpos($sql, 'NOSCHEMACACHE') && isset($this->_cache['schema']))
    {
        $sql = str_replace('{PREFIX}', $this->_table_prefix, $sql);
    }

    // Prepared statement
    $stmt = $this->_connection->prepare($sql);
    $stmt->execute();
    $this->_last = $stmt->get_result();    
}

This modification will ensure that any user input provided to the query() method will be sanitized automatically, effectively preventing SQL injection attacks.

Original References and Advisories

1. Subrion CMS Official Website
2. GitHub Repository for Subrion CMS
3. National Vulnerability Database (NVD)

Conclusion

CVE-2024-25400 is a critical security vulnerability affecting the Subrion CMS 4.2.1 that can lead to unauthorized access to sensitive data and compromise user accounts. It is essential for developers and administrators to understand the exploit details, the vulnerable code, and implement the necessary fixes. As highlighted in this article, utilizing prepared statements when handling user input can effectively mitigate SQL injection vulnerabilities.

Timeline

Published on: 02/27/2024 16:15:46 UTC
Last modified on: 02/28/2024 14:07:00 UTC