CVE-2020-17463

What is FUEL CMS?

FUEL CMS is an open-source PHP content management system built on CodeIgniter. It is used by developers and small-to-medium organizations to build and manage websites with a customizable admin panel for content management. The FUEL CMS admin panel provides management interfaces for pages, navigation, permissions, and other site content through standard CRUD (Create, Read, Update, Delete) endpoints. SQL injection vulnerabilities in CMS admin panels are severe because they provide access to the database containing all site content, user credentials, configuration, and potentially allow escalation to OS-level code execution via SQL features like INTO OUTFILE or stored procedure abuse.

Overview

CVE-2020-17463 is a SQL injection vulnerability (CWE-89) in FUEL CMS 1.4.7 that allows a remote attacker to inject arbitrary SQL via the col parameter in the admin panel's list endpoints (/pages/items, /permissions/items, /navigation/items). The injection is in an ORDER BY clause that the application constructs from the col parameter without sanitization. An unauthenticated attacker (CVSS PR:N) can extract the full database, including admin credentials, and potentially achieve code execution via SQL-based file write operations. CISA added it to KEV in December 2021.

Affected Versions

Technical Details

• Root cause: SQL injection (CWE-89) in the col parameter used to construct an ORDER BY clause — the FUEL CMS admin panel's list views accept a col parameter to specify the column to sort results by; this parameter is passed directly into the SQL query's ORDER BY clause without parameterization or input sanitization; ORDER BY injection differs from standard WHERE-clause injection but still allows full database extraction via time-based blind or error-based techniques
• Attack endpoints: /fuel/pages/items?col=<payload>, /fuel/permissions/items?col=<payload>, /fuel/navigation/items?col=<payload> — multiple admin panel list views share the same vulnerable parameter handling
• Database extraction via ORDER BY injection: The injected SQL payload can use conditional expressions (CASE statements, IF functions) to extract database content character by character via time-based blind injection or boolean-based differences in response time; attackers extract the fuel_users table to obtain admin username and hashed password, then crack or use the credentials for admin panel access
• CVSS PR:N (no privileges required): Despite being an admin panel endpoint, the list endpoints are accessible without authentication in the affected versions — the access control check is missing or bypassable, making this a pre-authentication SQL injection
• SQL to RCE escalation: Depending on MySQL configuration, the INTO OUTFILE SQL clause can write files to the web root, enabling PHP webshell deployment; if FILE privilege is granted to the database user, SQL injection can escalate to OS code execution
• FUEL CMS RCE history: FUEL CMS 1.4.1 also had a separate authenticated RCE vulnerability (CVE-2018-16763) — the CMS has a history of security issues, indicating limited security review of the codebase

Discovery

Identified by security researchers and disclosed via the FUEL CMS GitHub issue tracker in 2020. CISA's December 2021 KEV addition reflects active exploitation of internet-accessible FUEL CMS installations with the vulnerable col parameter injection.

Exploitation Context

FUEL CMS deployments are typically small to medium websites and web applications. While the CMS is not as widely deployed as WordPress or Drupal, the combination of unauthenticated SQL injection + path to RCE makes any exposed FUEL CMS instance a target for automated scanning tools that catalog CMS fingerprints. Attackers commonly use search engines like Shodan, Censys, and Google dorks to identify FUEL CMS installations and then automate SQL injection payloads against the vulnerable endpoints. Compromised FUEL CMS sites are typically used for credential theft, SEO spam injection, or as pivot points into hosting infrastructure.

Remediation

1. Upgrade FUEL CMS to the latest version — check the FUEL CMS GitHub repository for a patched release that properly sanitizes the col parameter
2. As an immediate workaround, implement input validation in application/core/MY_Model.php or the relevant controller to whitelist valid column names for the col parameter rather than passing raw input to SQL
3. Configure the database user for FUEL CMS with minimum necessary privileges — deny FILE privilege to prevent SQL-to-file-write escalation; use a database user without SUPER or FILE grants
4. Implement a WAF rule to detect and block ORDER BY injection patterns in the col parameter (e.g., SQL keywords, parentheses, or CASE expressions in sort parameters)
5. Review database access logs for unusual query patterns or large numbers of queries that may indicate automated SQL injection extraction
6. Audit the database for unauthorized changes to the fuel_users table; rotate admin credentials if exploitation is suspected