Miggo Logo

CVE-2017-16558: Contao SQL injection in the backend and listing module

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.56318%
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
contao/contaocomposer>= 3.0.0, <= 3.5.30
contao/contaocomposer>= 4.0.0, < 4.4.84.4.8
contao/core-bundlecomposer>= 4.0.0, < 4.4.84.4.8
contao/listing-bundlecomposer>= 4.0.0, < 4.4.84.4.8
contao/core-bundlecomposer>= 3.0.0, <= 3.5.30
contao/listing-bundlecomposer>= 3.0.0, <= 3.5.30

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in two components:

  1. In DC_Table.php's searchMenu method, pre-patch code accepted unfiltered user input for database field names (tl_field), enabling SQL injection via crafted WHERE clauses. The fix added strict in_array validation.
  2. In ModuleListing.php's compile method, user-controlled 'order_by' and 'sort' parameters were directly interpolated into ORDER BY clauses without validation. The patch introduced allow-list validation for these parameters. Both functions lacked input sanitization for SQL operator injection, matching the CWE-89 pattern of improper SQL special element neutralization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ont*o *.*.* to *.*.** *n* *.*.* to *.*.* *ont*ins *n SQL inj**tion vuln*r**ility in t** ***k*n* *s w*ll *s in t** listin* mo*ul*.

Reasoning

T** vuln*r**ility m*ni**sts in two *ompon*nts: *. In **_T**l*.p*p's s**r**M*nu m*t*o*, pr*-p*t** *o** ****pt** un*ilt*r** us*r input *or **t***s* *i*l* n*m*s (tl_*i*l*), *n**lin* SQL inj**tion vi* *r**t** W**R* *l*us*s. T** *ix ***** stri*t in_*rr*y