EXPECTED BEHAVIOUR
An authenticated malicious user can take advantage of a SQL injection UNION attack vulnerability with quicksearch parameter in URL.
IMPACT
A successful SQL injection attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
VULNERABILITY CODE
I found quicksearch parameter is not handled in SQL query with WHERE clause in \lib\packages\comments\comments.php
And the protect function in \lib\core\core.php is not use ESCAPE to filter special characters
Then it is use to query in: \lib\core\database.class.php
STEPS TO REPRODUCE
We change the request in URL
GET /navigate/navigate/navigate.php?fid=comments&act=json&_search=true&quicksearch=%25")+UNION+ALL+SELECT+DATABASE(),null,null,null,null,null,null,VERSION()%3b--&_search=false&nd=1623493056682&rows=30&page=1&sidx=date_created&sord=desc&filters=
EXPECTED BEHAVIOUR An authenticated malicious user can take advantage of a SQL injection UNION attack vulnerability with quicksearch parameter in URL.
IMPACT A successful SQL injection attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
VULNERABILITY CODE I found quicksearch parameter is not handled in SQL query with WHERE clause in \lib\packages\comments\comments.php
And the protect function in \lib\core\core.php is not use ESCAPE to filter special characters
Then it is use to query in: \lib\core\database.class.php
STEPS TO REPRODUCE
GET /navigate/navigate/navigate.php?fid=comments&act=json&_search=true&quicksearch=%25")+UNION+ALL+SELECT+DATABASE(),null,null,null,null,null,null,VERSION()%3b--&_search=false&nd=1623493056682&rows=30&page=1&sidx=date_created&sord=desc&filters=