CVE-2018-25414

Vulnerability

AiOPMSD Final 1.0.0 (build 4, released September 5, 2017) contains an SQL injection vulnerability in the actor.php script. The actor GET parameter is directly interpolated into SQL queries without sanitization or parameterization, allowing unauthenticated attackers to inject arbitrary SQL statements [2][3]. The application is a PHP/MySQL movie streaming script and does not require authentication to reach this endpoint [1].

Exploitation

An attacker can send a crafted GET request to the actor.php endpoint (e.g., .../actor.php?actor=malicious_payload) with a SQL injection payload in the actor parameter. No authentication or special privileges are required, and the attack can be performed remotely over HTTP. Standard SQL injection techniques such as UNION-based or error-based injection can be used [3].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the underlying MySQL database. The attacker can extract sensitive information including database names, table names, user credentials (usernames and password hashes), and database version details. This can lead to complete compromise of the application's data and potential privilege escalation if credential reuse or weak hashing is present [3].

Mitigation

As of the available references, no official patch has been released for AiOPMSD Final 1.0.0; the project appears to be unmaintained [2]. The only workaround is to manually sanitize the actor parameter in actor.php using parameterized queries or input validation. If the application is still in use, it should be isolated from untrusted networks until a fix is applied [1][3].