PMB SQL Injection Vulnerability in ajax.php Endpoint

A SQL injection vulnerability has been identified in PMB version 7.4.6. The issue resides in the storage parameter of the ajax.php endpoint, where the 'id' parameter is not properly sanitized. This vulnerability allows remote attackers to manipulate database queries by injecting conditional sleep statements. Exploitation of this flaw could lead to time-based blind SQL injection attacks, enabling attackers to extract information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the ajax.php endpoint with the 'categ' parameter set to 'storage' and the 'id' parameter injected with a SQL payload that exploits the lack of input sanitization. The injection can include conditional sleep statements to demonstrate the vulnerability, such as using 'IF(NOW()=SYSDATE(),SLEEP(5),0)' to create a time delay response.

Remediation

Users are advised to update to PMB versions 7.4.7 or 7.5.1, both of which include patches for this vulnerability.