2022
03.24

ImpressCMS versions 1.4.2 and below pre-authentication SQL injection to remote code execution exploit. User input passed through the “groups” POST parameter to the /include/findusers.php script is not properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to construct a SQL query without proper validation, and this can be exploited by remote attackers to e.g. read sensitive data from the “users” database table through boolean-based SQL Injection attacks. The application uses PDO as a database driver, which allows for stacked SQL queries, as such this vulnerability could be exploited to e.g. create a new admin user and execute arbitrary PHP code.

No Comment.

Add Your Comment

You must be logged in to post a comment.