WWBN AVideo Blind SQL Injection Vulnerability in Live Schedule Reminder Endpoint

A blind SQL injection vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the 'remindMe.json.php' endpoint, where the 'live_schedule_id' parameter is passed through several functions without proper sanitization. This unsanitized data eventually reaches 'Scheduler_commands::getAllActiveOrToRepeat()', which concatenates it directly into a SQL 'LIKE' clause. Although some intermediate functions apply 'intval()' to local copies of the variable, the original, tainted input remains unchanged. As a result, any authenticated user can exploit this vulnerability to perform time-based blind SQL injection, allowing for the extraction of arbitrary database contents.

Impact

Exploitation of this vulnerability allows authenticated users to execute time-based blind SQL injection, with the potential to read all database contents character by character. This could include sensitive information such as admin credentials, user personal information, API keys, and session tokens. Additionally, depending on MySQL permissions, it could be possible to modify data through stacked queries or subquery-based writes, potentially leading to account takeover.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the 'plugin/Live/remindMe.json.php' endpoint with a crafted 'live_schedule_id' parameter that includes SQL injection payloads, such as '1" AND SLEEP(5) --'. The injection takes advantage of the lack of proper sanitization, allowing the attacker to introduce SQL commands that are executed by the database. After confirming the injection, the attacker can extract data by modifying the payload to, for example, use the 'IF' statement to retrieve specific information from the database.

Remediation

The vulnerability has been patched in commit 75d45780728294ededa1e3f842f95295d3e7d144. Users are advised to update to the latest version.