Source: cve@mitre.org
SQL injection vulnerability in zp-core/zp-extensions/wordpress_import.php in Zenphoto before 1.4.5.4 allows remote authenticated administrators to execute arbitrary SQL commands via the tableprefix parameter.
Zenphoto versions prior to 1.4.5.4 are vulnerable to a critical SQL injection flaw, allowing authenticated administrators to execute arbitrary SQL commands. This vulnerability could lead to complete system compromise, including data theft and server control, by leveraging the tableprefix parameter in the wordpress_import.php script.
Step 1: Authentication: The attacker must first authenticate as an administrator within the Zenphoto CMS. This is a prerequisite for exploiting the vulnerability.
Step 2: Payload Delivery: The attacker crafts a malicious SQL injection payload designed to be injected into the tableprefix parameter. This payload is then sent to the wordpress_import.php script.
Step 3: Request Submission: The attacker submits the crafted request, typically via a POST request, to the vulnerable script.
Step 4: SQL Query Execution: The wordpress_import.php script processes the request and incorporates the attacker-controlled tableprefix value directly into an SQL query without proper sanitization.
Step 5: Database Interaction: The database server executes the modified SQL query, which now includes the attacker's malicious SQL code.
Step 6: Exploitation: Depending on the payload, the attacker can achieve various goals, such as reading sensitive data (e.g., usernames, passwords), modifying data, or potentially gaining remote code execution if the database user has sufficient privileges.
The vulnerability stems from insufficient input validation of the tableprefix parameter within the wordpress_import.php script. Specifically, the script fails to properly sanitize user-supplied input before incorporating it into SQL queries. This allows an attacker to inject malicious SQL code, which is then executed by the database server. The root cause is a lack of parameterized queries or proper escaping of user-provided data, leading to a direct injection vulnerability. The attacker can manipulate the tableprefix parameter to alter the SQL query's logic, enabling them to read, modify, or delete data from the database, or even execute arbitrary commands on the server if the database user has sufficient privileges.
While no specific APT groups are directly linked, the nature of the vulnerability makes it attractive to various threat actors. This vulnerability could be leveraged by attackers for initial access, data exfiltration, or further compromise. This CVE is not listed on the CISA KEV list, but its potential impact warrants attention.
Monitor web server logs for suspicious POST requests to zp-core/zp-extensions/wordpress_import.php with unusual tableprefix values, especially those containing SQL keywords (e.g., SELECT, UPDATE, INSERT, DELETE, UNION).
Implement a Web Application Firewall (WAF) to detect and block SQL injection attempts based on signature-based and behavior-based analysis.
Analyze database query logs for unusual activity originating from the web server, such as unexpected queries or modifications to sensitive data.
Monitor file system changes for modifications to wordpress_import.php or other core Zenphoto files.
Upgrade to Zenphoto version 1.4.5.4 or later.
Implement parameterized queries or prepared statements in all database interactions to prevent SQL injection.
Sanitize all user-supplied input before incorporating it into SQL queries, using appropriate escaping functions.
Enforce the principle of least privilege for the database user used by Zenphoto. Limit the user's permissions to only those necessary for the application's functionality.
Regularly scan the web application for vulnerabilities using automated tools.
Implement a Web Application Firewall (WAF) to filter malicious traffic.