CVE-2024-6416 Overview
CVE-2024-6416 is a SQL injection vulnerability in SeaCMS 12.9, an open-source content management system commonly used for video streaming websites. The flaw resides in the /js/player/dmplayer/dmku/?ac=edit endpoint, where the cid parameter is passed to a database query without proper sanitization [CWE-89]. Attackers can manipulate the cid argument with payloads such as (select(0)from(select(sleep(10)))v) to inject arbitrary SQL statements. The attack is remotely exploitable over the network and requires only low-privileged authentication. Public disclosure of the exploit details has been released through VulDB entry VDB-270007.
Critical Impact
Remote attackers with low privileges can execute arbitrary SQL queries against the backend database, enabling data exfiltration, authentication bypass, and potential full compromise of the SeaCMS installation.
Affected Products
- SeaCMS 12.9
- Installations exposing the /js/player/dmplayer/dmku/ administrative endpoint
- Deployments using the default Damuku (dmku) danmaku player component
Discovery Timeline
- 2024-06-30 - CVE-2024-6416 published to NVD
- 2025-04-05 - Last updated in NVD database
Technical Details for CVE-2024-6416
Vulnerability Analysis
The vulnerability exists in the SeaCMS danmaku (bullet comment) player administration script located at /js/player/dmplayer/dmku/?ac=edit. When the script processes the cid parameter from the HTTP request, it concatenates the value directly into a SQL statement without parameterized queries or input validation. This classic SQL injection pattern allows attackers to break out of the intended query context and append their own SQL syntax. Time-based payloads such as (select(0)from(select(sleep(10)))v) confirm exploitability by introducing a measurable delay in the server response. The attack surface is reachable remotely and does not require user interaction.
Root Cause
The root cause is improper neutralization of special elements in an SQL command [CWE-89]. The edit action handler trusts the cid parameter supplied by the client and inserts it directly into the SQL query string. SeaCMS does not enforce prepared statements or strict type casting on this parameter, leaving the query vulnerable to injection through both UNION-based and time-based techniques.
Attack Vector
An authenticated user with low privileges sends a crafted HTTP request to the /js/player/dmplayer/dmku/?ac=edit endpoint, modifying the cid parameter to include SQL syntax. The injected payload executes within the application database context. Attackers can extract user credentials, session tokens, and content metadata, or chain the flaw with other weaknesses for privilege escalation. The exploit has been publicly documented, increasing the likelihood of opportunistic scanning and automated exploitation against exposed SeaCMS deployments.
For full technical analysis, see the Fushuling Blog Post and the VulDB #270007 advisory.
Detection Methods for CVE-2024-6416
Indicators of Compromise
- HTTP requests to /js/player/dmplayer/dmku/?ac=edit containing SQL keywords such as select, sleep, union, or from in the cid parameter
- Web server access logs showing anomalously long response times for the dmku endpoint, indicative of time-based blind SQL injection
- Unexpected database errors or warnings referencing the cid parameter in SeaCMS application logs
- New or modified administrator accounts in the SeaCMS sea_admin table following suspicious endpoint access
Detection Strategies
- Deploy web application firewall rules that inspect the cid parameter on /js/player/dmplayer/dmku/ requests for SQL syntax
- Enable database query logging and alert on queries originating from the danmaku player component that contain SLEEP, BENCHMARK, or stacked statements
- Correlate HTTP 200 responses with response durations greater than five seconds on the affected endpoint to flag blind injection attempts
Monitoring Recommendations
- Forward web server and PHP error logs to a centralized analytics platform for retrospective hunting on the dmku URI pattern
- Track outbound database connections from the SeaCMS host for unusual data volumes that may indicate exfiltration
- Monitor file integrity on SeaCMS PHP files to identify post-exploitation webshell deployment
How to Mitigate CVE-2024-6416
Immediate Actions Required
- Restrict access to the /js/player/dmplayer/dmku/ directory using web server access controls, limiting it to trusted administrative IP addresses
- Audit existing SeaCMS administrator and user accounts for unauthorized additions or privilege changes
- Rotate database credentials and administrator passwords if exploitation is suspected
- Review web server logs from 2024-06-30 onward for requests matching the exploitation pattern
Patch Information
No official vendor patch is referenced in the NVD entry for SeaCMS 12.9 at the time of publication. Administrators should monitor the SeaCMS project releases for updates and consult the VulDB advisory for remediation guidance. Until an official fix is available, apply compensating controls described below.
Workarounds
- Implement WAF signatures that block SQL metacharacters and time-delay functions in the cid parameter
- Add server-side input validation enforcing a strict integer type for the cid value before it reaches the database query
- Disable or remove the dmku administrative interface if the danmaku functionality is not required
- Run the SeaCMS database account with least-privilege permissions, denying FILE, DROP, and CREATE rights to limit injection impact
# Example nginx configuration to restrict the vulnerable endpoint
location ~ ^/js/player/dmplayer/dmku/ {
allow 10.0.0.0/8; # trusted admin network
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
