Portal+ CMS SQLi leaks databases (CVE-2019-25366)

Vendor-confirmed - CVE-2019-25366 is a high severity SQL injection in microASP Portal+ CMS that lets an unauthenticated attacker dump the entire database, including user passwords and confidential content, by sending a crafted request to the pagina.phtml component. Apply the official vendor patch to fix this vulnerability.

Overview

A critical security flaw has been identified in the microASP Portal+ Content Management System (CMS). This vulnerability allows an unauthenticated attacker to execute malicious commands directly on the application’s database, a technique known as SQL Injection.

Vulnerability Details

The vulnerability exists in the explode_tree parameter used by the pagina.phtml component of the CMS. By sending a specially crafted web request containing SQL code, an attacker can manipulate the database query. The attack specifically leverages database functions like extractvalue and concat to force the database to return sensitive information, such as the name of the current database. This initial information leak can be used as a foothold for further exploitation.

Potential Impact

The impact of this vulnerability is severe. A successful exploit could allow an attacker to:

• Steal Sensitive Data: Extract any information stored in the database, including user credentials (usernames and hashed passwords), personal data, and confidential content.
• Disrupt Operations: Modify or delete database records, potentially causing website malfunction or data loss.
• Gain Further Access: Use extracted information to escalate privileges or move laterally within the system.

Because the attack requires no authentication, any publicly accessible website running the vulnerable CMS is at immediate risk.

Remediation and Mitigation

Primary Action - Update Immediately: The most effective remediation is to apply the official security patch provided by the microASP vendor. Contact the vendor or check their official portal for an updated version of Portal+ CMS that addresses CVE-2019-25366.

Immediate Mitigation Steps: If an immediate update is not possible, consider these temporary measures:

1. Input Validation: Implement strict server-side validation and filtering for all user inputs, particularly the explode_tree parameter. Reject any input containing SQL keywords or special characters.
2. Web Application Firewall (WAF): Deploy or configure a WAF in front of the application to block SQL injection payloads. Ensure it is configured with rules specifically designed to detect and prevent these types of attacks.
3. Network Restriction: If feasible, restrict access to the administrative interface of the CMS to only trusted IP addresses or a corporate network.

General Best Practice: Regularly review and apply security updates for all third-party software components in your environment.