CVE-2019-12358
📋 TL;DR
This SQL injection vulnerability in zzcms 2019 allows attackers with dls_print authority to execute arbitrary SQL commands via the dlid cookie in /dl/dl_sendsms.php. This could lead to data theft, modification, or deletion. All zzcms 2019 installations with the vulnerable component are affected.
💻 Affected Systems
- zzcms
📦 What is this software?
Zzcms by Zzcms
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data destruction, privilege escalation to administrative access, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized access to sensitive data in the database, including user credentials, personal information, and business data.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Exploitation requires dls_print authority but SQL injection via cookie manipulation is well-understood and easily automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specifically versioned - requires code modification
Vendor Advisory: https://github.com/cby234/zzcms/issues/5
Restart Required: No
Instructions:
1. Review the GitHub issue for specific vulnerable code. 2. Replace vulnerable SQL queries with parameterized/prepared statements. 3. Implement proper input validation for the dlid cookie parameter. 4. Test the fix thoroughly before deployment.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize dlid cookie values before processing
// PHP example: if(!is_numeric($_COOKIE['dlid'])) { die('Invalid input'); }
Access Restriction
linuxRestrict access to /dl/dl_sendsms.php to only necessary users
# Apache: <Location "/dl/dl_sendsms.php">
Require valid-user
# Add specific user/group restrictions
</Location>
# Nginx: location /dl/dl_sendsms.php {
auth_basic "Restricted";
auth_basic_user_file /path/to/.htpasswd;
}
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with SQL injection rules to block malicious requests
- Monitor and restrict user accounts with dls_print authority to minimize attack surface
🔍 How to Verify
Check if Vulnerable:
Test the /dl/dl_sendsms.php endpoint with SQL injection payloads in the dlid cookie while authenticated with dls_print authorityCheck Version:
Check zzcms version in admin panel or review installation files for version indicatorsVerify Fix Applied:
Attempt SQL injection tests after patching to confirm they are blocked and review code for parameterized queries📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed requests to /dl/dl_sendsms.php with malformed dlid values
- Requests with SQL keywords in cookie values
Network Indicators:
- HTTP requests to /dl/dl_sendsms.php containing SQL injection patterns in cookies
SIEM Query:
source="web_logs" AND uri_path="/dl/dl_sendsms.php" AND (cookie="*SELECT*" OR cookie="*UNION*" OR cookie="*OR*1=1*")