Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) data/gallery/edit.php, (2) data/guestbook/edit.php, (3) data/file/edit.php, (4) data/htmltext/edit.php, (5) data/publication/edit.php, or (6) data/event/edit.php.
Open Constructor 3.12.0 suffers from multiple SQL injection vulnerabilities, allowing attackers to execute arbitrary SQL commands. This could lead to complete compromise of the web application, including access to sensitive data and potentially the underlying server. Successful exploitation requires an authenticated user account, but the impact is severe.
Step 1: Authentication: The attacker must first obtain valid credentials for an authenticated user account within the Open Constructor application.
Step 2: Target Selection: The attacker identifies one of the vulnerable edit.php files (e.g., data/gallery/edit.php) and determines the appropriate id parameter to target.
Step 3: Payload Delivery: The attacker crafts a malicious SQL injection payload and injects it into the id parameter of the HTTP request. This payload is designed to alter the SQL query executed by the application.
Step 4: Query Execution: The vulnerable application receives the malicious request and, due to the lack of input validation, incorporates the attacker's payload directly into the SQL query without proper sanitization.
Step 5: Database Interaction: The database server executes the modified SQL query, which now includes the attacker's commands.
Step 6: Result: The attacker can then perform unauthorized actions, such as retrieving sensitive data, modifying existing data, or potentially gaining control of the database server, depending on the payload and the database server's configuration.
The vulnerability stems from insufficient input validation on the id parameter within several edit.php files. Specifically, the application fails to properly sanitize user-supplied input before incorporating it into SQL queries. This allows an attacker to inject malicious SQL code, altering the intended query logic and enabling unauthorized actions such as data retrieval, modification, or even remote code execution if the database server allows it. The root cause is a missing or inadequate input validation and sanitization process, specifically failing to escape special characters used in SQL syntax before incorporating the user-provided id parameter into database queries. This lack of proper parameterization makes the application susceptible to SQL injection attacks.