CVE-2018-25417

Vulnerability

AiOPMSD Final 1.0.0 (build 4, September 2017) [2] includes quality.php that takes an unsanitized quality GET parameter. This parameter is directly concatenated into SQL queries, leading to a classic SQL injection vulnerability. No authentication is required to reach the vulnerable endpoint. The application is a PHP/MySQL based movie streaming script [2].

Exploitation

An unauthenticated attacker can send a GET request to quality.php with a crafted quality parameter containing SQL injection payloads [1][3]. No special network position or prior access is needed. The attacker simply appends malicious SQL to the parameter value, and the response reveals error messages or data from the database.

Impact

Successful exploitation allows the attacker to extract sensitive database information, including usernames, database names, and version details [3]. This can lead to further compromise, such as gaining access to the administrator account if credentials are stored in the database. The impact is limited to read access, but could escalate depending on the database configuration.

Mitigation

No official patch has been released as the project appears abandoned (last update 2017) [2]. Users should consider migrating to an actively maintained alternative or deploying a web application firewall (WAF) to block SQL injection attempts. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog at this time.