CVE-2012-5910

A remote authenticated user (registration required) can inject arbitrary SQL commands via the `root` parameter in the URL `blogs/htsrv/viewfile.php` [ref_id=1]. The attacker appends SQL injection payloads to the `root` parameter, e.g., `root=shared_1[SQL-Injection]`, while requesting a file path such as `path=monument-valley/bus-stop-ahead.jpg&viewtype=image` [ref_id=1]. The application fails to neutralize special SQL syntax in the `root` input, allowing the injected commands to be executed against the database [CWE-89].

The vulnerability is in `blogs/htsrv/viewfile.php`, specifically in the handling of the `root` parameter [ref_id=1]. The advisory identifies the vulnerable module as `viewfile.php [root=shared_1]` [ref_id=1].

The advisory states a vendor fix/patch was released on 2012-03-31, but no patch diff is included in the bundle [ref_id=1]. The remediation would involve properly sanitizing or parameterizing the `root` parameter in `viewfile.php` to prevent SQL special characters from being interpreted as executable commands [CWE-89]. Without the patch content, the exact code change cannot be described.

Navigate to the user dashboard, choose to show files, then access a URL such as `http://127.0.1.1/b2evolution/blogs/htsrv/viewfile.php?path=monument-valley/bus-stop-ahead.jpg&viewtype=image&root=shared_1'[SQL injection payload]` [ref_id=1]. The injected SQL commands are executed against the application database.