Authenticated SQL Injection in Chyrp CMS v2.5.2

3 minute read

Vulnerability Summary

Field	Detail
Affected Software	Chyrp CMS v2.5.2 and before
Vulnerability Type	SQL Injection
Component	`Admin.php` (`prefix` POST parameter)
Access Required	Authenticated (admin access)
Impact	Information Disclosure, Data Manipulation, Denial of Service

SQL Injection

SQL Injection is one of the oldest and most critical web vulnerabilities yet it still appears in modern codebases. Chyrp is a lightweight open-source blogging platform written in PHP. It provides a minimal CMS for publishing posts and managing blog content. Since the application interacts extensively with a backend database, proper input validation and query construction is important.

SQL Injection occurs when user input is incorporated into a database query without proper validation or sanitization, allowing an attacker to alter the query’s logic or append entirely new SQL statements.

If a web application builds SQL queries by directly concatenating user input without any input validation, an attacker can manipulate the query to read arbitrary data, modify or delete records, or cause denial of service. In extreme cases, depending on database permissions, SQL injection can even lead to remote code execution via file-write capabilities.

The worst-case scenario is when user input gets added directly into a query that interacts with sensitive tables like: user credentials, session tokens, or administrative data.

In Chyrp CMS, there is an authenticated SQL injection vulnerability in the admin controller. The vulnerability occurs when a user controlled POST parameter is directly concatenated into a SQL query without sanitization or validation allowing a malicious administrator to manipulate the SQL statement executed by the application.

$get_posts = mysql_query(
    "SELECT * FROM {$_POST['prefix']}textpattern ORDER BY ID ASC", $link)
    or error(__("Database Error"), mysql_error());

Here, the application constructs a SQL query by inserting the prefix parameter directly into the table name. There is no input validation or escaping, which means the attacker can inject arbitrary SQL.

Why This Is Vulnerable?

Since the query is dynamically built like:

SELECT * FROM {user_input}textpattern ORDER BY ID ASC

And since $_POST['prefix'] is attacker-controlled, the query becomes:

SELECT * FROM attacker_inputtextpattern ORDER BY ID ASC

If the attacker injects SQL syntax, they can alter the query execution. Because the code uses string concatenation instead of parameterized queries, the database interpreter processes the injected SQL as part of the query.

Example Exploitation

An attacker with administrative privileges can submit a malicious request such as:

POST prefix=abc; DROP TABLE users; --

The resulting SQL query becomes:

SELECT * FROM abc; DROP TABLE users; -- textpattern ORDER BY ID ASC;

Depending on the database configuration and privileges.This could lead to:

Database Manipulation: Attackers could modify or delete data.
Denial of service
Information Disclosure: attacker may access arbitrary tables in the database.

Secure SQL Query Best Practices

Use Parameterized Queries / Prepared Statements

Never build SQL queries using string concatenation with user input.
Parameterized queries using prepared statements are the single most effective defense against SQL injection. This ensures user input is treated as data and never as sql code.

Input Validation

Validate inputs against a strict allowlist. For example, if a prefix must be alphanumeric, enforce that with a regex check before it touches any query. Reject inputs that don’t conform rather than trying to sanitize them.
Be especially careful with inputs that end up in structural parts of a query like: table names, column names, ORDER BY clauses as these cannot be parameterized the same way values can.

Least Privilege Database Accounts

The application’s database user should only have the permissions it genuinely needs typically SELECT, INSERT, UPDATE on specific tables.
Accounts used by web applications should never hold DROP, CREATE, ALTER, or GRANT privileges.This limits blast radius if injection does occur.

Web Application Firewall (WAF)

A WAF can detect and block common SQL injection patterns as a defense-in-depth measure.
It will not fix the root cause but it raises the bar for exploitation while a patch is being developed.