Description
A SQL injection vulnerability exists in the stylesheet.php file of CMS Made Simple version 1.0.5 and earlier. The vulnerability occurs because the 'templateid' parameter is not properly sanitized before being used in SQL queries, allowing attackers to inject malicious SQL commands. This is a critical security flaw that can be exploited remotely without authentication.
Remediation
Immediately upgrade to CMS Made Simple version 1.0.6 or later, which addresses this vulnerability. If immediate upgrading is not possible, implement the following temporary mitigations:
1. Apply input validation to the 'templateid' parameter to accept only numeric values
2. Use parameterized queries or prepared statements instead of direct SQL concatenation
3. Restrict access to stylesheet.php at the web server level if the functionality is not required
4. Monitor application logs for suspicious SQL injection attempts targeting this parameter
Example of secure parameterized query implementation:
// Secure approach using prepared statements
$stmt = $db->prepare("SELECT * FROM templates WHERE id = ?");
$stmt->bind_param("i", $templateid);
$stmt->execute();
References
http://www.cmsmadesimple.org/2007/04/24/cms-made-simple-106-released/
Related Vulnerabilities
SugarCRM Improper Restriction of XML External Entity Reference Vulnerability (CVE-2014-3244)
Dolibarr Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-14209)
Magento Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-8155)
Oracle Database Server CVE-2008-2591 Vulnerability (CVE-2008-2591)