Blocked accounts abused in Evolution CMS SQL injection attacks

Details of duo of flaws in management portal made public weeks after fix



A severe unauthenticated SQL injection vulnerability has been patched by developers of the Evolution CMS.


Evolution is a PHP-based, open source content management system (CMS) used to manage the backend of websites.


On February 8, cybersecurity firm Synactiv publicly revealed the existence of two security flaws in the CMS and how a “blocked account” can be exploited to perform an “unauthenticated SQLi in Evolution CMS using the header”.


Written by Synacktiv’s Nicolas Biscos and Thomas Etrillard, the security advisory (PDF) details an unauthenticated SQL injection vulnerability on the Evolution manager login page.


Read more of the latest infosec research from around the world


This security flaw was caused by how the application processes SQL queries. If a user was to send crafted data, the query could be modified before landing in an Evolution database.


As the CMS logs actions in the manager interface and inserts data into a database, the IP field is not scrubbed properly, and so the header can be tampered with.


When an account in the manager interface is blocked, a particular function is called upon which can be exploited by an attacker without authentication to extract SQL database records.


A threat ..

Support the originator by clicking the read the rest link below.