Listen to this Post
The vulnerability in Admidio v4.3.16 is an authenticated SQL injection in the `members_assignment_data.php` script. The flaw arises because the `filter_rol_uuid` GET parameter is not sanitized before being concatenated directly into an SQL query string. When an authenticated user with role assignment permissions, like an administrator, sends a request to this endpoint, the supplied `filter_rol_uuid` value is embedded within the `$filterRoleCondition` variable. This variable is then used in a subquery. An attacker can escape the single-quote delimiters surrounding the parameter value to inject arbitrary SQL commands. This allows the execution of malicious SQL statements on the underlying MySQL database, leading to complete database compromise, including data exfiltration, modification, or deletion.
Platform: Admidio
Version: 4.3.16
Vulnerability: SQL Injection
Severity: Critical
date: 2024-10-23
Prediction: 2024-11-13
What Undercode Say:
sqlmap -r admidio_request.txt -p filter_rol_uuid --technique=T --dbms=mysql --current-db
// Vulnerable Code Snippet $getFilterRoleUuid = admFuncVariableIsValid($_GET, 'filter_rol_uuid', 'string'); $filterRoleCondition = ' AND rol_uuid = \''.$getFilterRoleUuid . '\'';
How Exploit:
Intercept the AJAX request to `members_assignment_data.php` and manipulate the `filter_rol_uuid` parameter to inject SQL payloads, such as `’ AND SLEEP(5)– -` for time-based data extraction.
Protection from this CVE:
Apply vendor patch. Use parameterized queries. Implement input validation and sanitization. Enforce the principle of least privilege.
Impact:
Full database compromise. Unauthorized data access, modification, and deletion. Complete loss of confidentiality and integrity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
