zyx0814 FilePress SQL Injection Vulnerability in Shares Filelist API

A critical SQL injection vulnerability has been identified in zyx0814 FilePress versions through 2.2.0. The issue resides in the Shares Filelist API, specifically within the 'dzz/shares/admin.php' file. The vulnerability arises because the 'order' parameter is directly concatenated into the SQL 'ORDER BY' clause without proper validation or parameterization. This flaw allows remote attackers to inject arbitrary SQL expressions. The vulnerability has been publicly disclosed and exploited, leading to unauthorized access to sensitive database information, including admin password hashes.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, enabling attackers to extract arbitrary data from the database. This includes administrator credentials (username, password hash, and salt) from the 'dzz_user' table, with potential escalation to remote code execution through plugin installation.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'filelist' API endpoint with an injected 'order' parameter. This can be done after creating multiple anonymous share records, which is possible without authentication. The injection is confirmed by exploiting the SQL injection vulnerability to create a time-based delay, indicating successful exploitation.

Remediation

A patch has been released that normalizes the 'order' parameter to handle different case variants and adds proper validation to prevent SQL injection. This patch should be applied to address the vulnerability.