CVE-2024-36801
📋 TL;DR
A SQL injection vulnerability in SEMCMS v4.8 allows remote attackers to extract sensitive information from the database by manipulating the lgid parameter in Download.php. This affects all SEMCMS v4.8 installations with the vulnerable Download.php file. Attackers can potentially access user data, configuration details, or other database contents.
💻 Affected Systems
- SEMCMS
📦 What is this software?
Semcms by Sem Cms
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, sensitive configuration data, and potentially file system access through database functions.
Likely Case
Extraction of sensitive information from database tables such as user credentials, configuration settings, or download records.
If Mitigated
Limited information disclosure if database permissions are properly restricted and input validation is implemented elsewhere.
🎯 Exploit Status
Public proof-of-concept available on GitHub. Exploitation requires minimal technical skill as it's a basic SQL injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
No official patch available. Replace vulnerable Download.php with patched version from community sources or implement parameterized queries.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd input validation and parameterized queries to Download.php to prevent SQL injection.
Edit Download.php to replace raw SQL queries with prepared statements using PDO or mysqli
WAF Rule Implementation
allImplement web application firewall rules to block SQL injection attempts targeting the lgid parameter.
Add WAF rule: Detect and block SQL injection patterns in lgid parameter
🧯 If You Can't Patch
- Restrict access to Download.php using IP whitelisting or authentication
- Implement database user with minimal permissions (read-only for necessary tables)
🔍 How to Verify
Check if Vulnerable:
Check if SEMCMS version is 4.8 and examine Download.php for unsanitized lgid parameter usage in SQL queries.Check Version:
Check SEMCMS version in configuration files or admin panelVerify Fix Applied:
Test the lgid parameter with SQL injection payloads (e.g., ' OR '1'='1) and verify no database errors or unexpected data is returned.📡 Detection & Monitoring
Log Indicators:
- SQL syntax errors in web server logs
- Unusual database queries from web application
- Multiple requests with SQL keywords in lgid parameter
Network Indicators:
- HTTP requests containing SQL injection payloads in lgid parameter
- Unusual database response sizes
SIEM Query:
web.url:*Download.php* AND (web.param.lgid:*OR* OR web.param.lgid:*UNION* OR web.param.lgid:*SELECT*)