AVideo SQL Injection Vulnerability in Sorting Function

A SQL injection vulnerability has been identified in AVideo versions prior to 8.0. The issue arises in the 'getSqlFromPost()' method of 'Object.php', where the 'sort' array keys from the POST request are directly used as SQL column identifiers in an 'ORDER BY' clause. Although the 'real_escape_string()' function was applied, it only protects against certain string-context characters and does not safeguard SQL identifiers, rendering it ineffective in this scenario. This vulnerability allows authenticated users to inject arbitrary SQL, potentially leading to database content extraction, such as credentials and queue data, and causing denial-of-service by executing heavy queries.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, with the potential to extract sensitive database information and cause denial-of-service by executing resource-intensive queries.

Remediation

Users can upgrade to AVideo version 8.0 or later, where this vulnerability has been fixed. Alternatively, without upgrading, a WAF rule can be applied to block POST requests with 'sort' keys containing characters outside the alphanumeric range and underscores. Another option is to restrict access to the queue view to trusted IP ranges only.