A vulnerability, which was classified as critical, was found in S-CMS up to 2.0_build20220529-20231006. This affects an unknown part of the file member/reg.php. The manipulation of the argument M_login/M_email leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
S-CMS versions up to 2.0_build20220529-20231006 are vulnerable to a critical SQL injection flaw. Attackers can exploit the member/reg.php file by manipulating the M_login or M_email parameters, potentially leading to unauthorized access, data breaches, and complete system compromise. The vulnerability is publicly known and easily exploitable, posing a significant risk to affected organizations.
Step 1: Payload Delivery: The attacker crafts a malicious payload containing SQL injection code. This payload is designed to exploit the vulnerability in the member/reg.php file.
Step 2: Parameter Manipulation: The attacker submits the crafted payload through a specially crafted HTTP request, targeting the member/reg.php file and manipulating the M_login or M_email parameters. The payload is designed to be interpreted as SQL code.
Step 3: Query Execution: The vulnerable S-CMS application receives the malicious request and, due to the lack of proper input validation, incorporates the attacker's payload directly into an SQL query. The database server then executes this modified query.
Step 4: Data Exfiltration/System Compromise: Depending on the attacker's payload, the executed SQL query can lead to various outcomes, including data exfiltration (e.g., retrieving usernames, passwords, or other sensitive information), modification of data (e.g., altering user privileges), or even complete system compromise (e.g., gaining remote code execution).
The vulnerability lies within the member/reg.php file of S-CMS, specifically in how the application handles user input for the M_login and M_email parameters during the registration process. The application fails to properly sanitize or validate these inputs before incorporating them into SQL queries. This lack of input validation allows attackers to inject malicious SQL code, which can then be executed by the database server. The root cause is a missing or inadequate implementation of parameterized queries or prepared statements, leading to the direct concatenation of user-supplied data into SQL statements. This allows for the execution of arbitrary SQL commands, potentially enabling attackers to bypass authentication, extract sensitive information, modify data, or even gain complete control of the database server and the underlying system.