WWBN AVideo Unauthenticated SQL Injection Vulnerability in Category Handling

A critical unauthenticated SQL injection vulnerability has been identified in WWBN AVideo versions prior to 26.0. The issue resides in the 'objects/category.php' file, specifically within the 'getAllCategories()' method. The vulnerability arises because the 'doNotShowCats' request parameter is inadequately sanitized, allowing attackers to manipulate SQL string boundaries using a backslash escape technique. This parameter bypasses the application's global input filters, creating an opportunity for SQL injection exploitation.

Impact

Exploitation of this vulnerability allows for full read access to the database, including sensitive information such as user credentials, private video metadata, and API secrets. Additionally, it could lead to unauthorized data modification or deletion. In certain MySQL configurations, this vulnerability could be exploited to achieve remote code execution by writing a PHP web shell to the server's document root.

Reproduction

The vulnerability can be reproduced by sending a GET request to 'categories.json.php' with the 'doNotShowCats' parameter. The first element should be a backslash, and the second element can include SQL injection payloads, such as ') OR 1=1)-- '. After the request is processed, the injected SQL will be executed, demonstrating the successful exploitation of the SQL injection vulnerability.

Remediation

Users are advised to update to AVideo version 26.0 or later, where this vulnerability has been patched.