CVE-2021-26739 – This SQL injection vulnerability in millken doy... (How to Fix)

Q: What is the severity of CVE-2021-26739?

CVE-2021-26739 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in millken doyocms 2.3 allows attackers to execute arbitrary SQL commands via the attribute parameter in pay.php. Attackers can potentially read, modify, or delete database content, and in worst cases execute arbitrary code on the server. All installations of doyocms 2.3 using the vulnerable pay.php component are affected.

📋 TL;DR

This SQL injection vulnerability in millken doyocms 2.3 allows attackers to execute arbitrary SQL commands via the attribute parameter in pay.php. Attackers can potentially read, modify, or delete database content, and in worst cases execute arbitrary code on the server. All installations of doyocms 2.3 using the vulnerable pay.php component are affected.

💻 Affected Systems

Products:

millken doyocms

Versions: Version 2.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation with pay.php accessible and default configuration is vulnerable

📦 What is this software?

Doyocms by Doyocms Project

View all CVEs affecting Doyocms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including remote code execution, database exfiltration, and persistent backdoor installation

🟠

Likely Case

Database manipulation, sensitive data theft, and potential privilege escalation

🟢

If Mitigated

Limited impact with proper input validation and database permissions

🌐 Internet-Facing: HIGH - Directly accessible via web interface with no authentication required

🏢 Internal Only: MEDIUM - Still exploitable by internal users or compromised accounts

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection with publicly available details in GitHub issues

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/millken/doyocms/issues/5

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative CMS or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to pay.php to sanitize attribute parameter

Edit pay.php and add input validation before SQL query execution

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords in attribute parameter

🧯 If You Can't Patch

Disable or remove pay.php if not required
Implement network segmentation and restrict access to vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if pay.php exists and is accessible, test with SQL injection payloads in attribute parameter

Check Version:

Check CMS version in configuration files or admin panel

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes, verify no database errors or unexpected behavior

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple requests to pay.php with SQL keywords in parameters

Network Indicators:

HTTP requests to pay.php containing SQL injection patterns in attribute parameter

SIEM Query:

source="web_server" AND (uri="*/pay.php" AND (param="*attribute*" AND value="*SELECT*" OR value="*UNION*" OR value="*OR*"))

📊 Metadata

CVE ID: CVE-2021-26739

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/millken/doyocms/issues/5 Exploit,Third Party Advisory
https://github.com/millken/doyocms/issues/5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26739, you might also want to check these: