A vulnerability, which was classified as critical, has been found in S-CMS up to 2.0_build20220529-20231006. Affected by this issue is some unknown functionality of the file /member/ad.php?action=ad. The manipulation of the argument A_text/A_url/A_contact leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249392. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
S-CMS versions up to 2.0_build20220529-20231006 are vulnerable to a critical SQL injection flaw. Attackers can exploit the /member/ad.php?action=ad endpoint by manipulating the A_text, A_url, or A_contact parameters, potentially leading to unauthorized access, data exfiltration, or complete system compromise.
Step 1: Payload Delivery: The attacker crafts a malicious payload containing SQL code designed to manipulate the database query. This payload is embedded within the A_text, A_url, or A_contact parameters of an HTTP GET or POST request to /member/ad.php?action=ad.
Step 2: Request Submission: The attacker submits the crafted request to the vulnerable S-CMS instance.
Step 3: Query Execution: The vulnerable script, /member/ad.php?action=ad, receives the request and incorporates the attacker-controlled parameters directly into a SQL query.
Step 4: SQL Injection: The malicious SQL code within the payload is executed by the database server, altering the intended query's behavior.
Step 5: Data Manipulation: Depending on the injected SQL code, the attacker can achieve various objectives, such as retrieving sensitive data (e.g., usernames, passwords), modifying existing data, or even gaining administrative access to the system.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data within the /member/ad.php?action=ad script. Specifically, the script likely directly incorporates the values of the A_text, A_url, and A_contact parameters into SQL queries without proper escaping or filtering. This allows an attacker to inject malicious SQL code, altering the intended query logic. The root cause is a failure to implement parameterized queries or other secure coding practices to prevent SQL injection. The lack of vendor response further exacerbates the risk, as no official patches are likely available.