Admidio MyList Configuration Arbitrary SQL Injection Vulnerability

A second-order SQL injection vulnerability has been identified in Admidio, an open-source user management solution, affecting versions through 5.0.6. The vulnerability arises in the MyList configuration feature, where authenticated users can customize list column layouts. User-defined column names, sort directions, and filter conditions are stored in the 'adm_list_columns' table via prepared statements. However, these values are later retrieved and directly inserted into SQL queries without proper sanitization or parameterization. This allows attackers to inject arbitrary SQL, potentially leading to unauthorized data access, modification, or deletion, and could result in a complete database compromise.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, with the potential to read, modify, or delete any data in the database, leading to a full database compromise.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to edit lists can inject SQL payloads through the MyList configuration feature. After saving the list configuration, the injected SQL will be executed when the list is viewed, exploiting the lack of proper validation and sanitization.

Remediation

Users are advised to update to Admidio version 5.0.7 or later, where this vulnerability has been fixed.