CVE-2018-25420

Vulnerability

AiOPMSD (All In One Pack Online Movie Streaming Download) Final 1.0.0, build 4 as of September 2017 [2], contains a SQL injection vulnerability in watch.php. The id parameter is not sanitized before being used in SQL queries, allowing unauthenticated attackers to inject arbitrary SQL commands. The application is a PHP/MySQL script for online movie streaming [2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to watch.php with a malicious id parameter. No authentication or prior access is required. The attacker can use standard SQL injection techniques (e.g., UNION-based or error-based) to extract data. The response from the server may reveal the injected data or error messages, enabling iterative extraction [3].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the underlying database. This can lead to the disclosure of sensitive information such as usernames, database names, and database version details [3]. Depending on the database permissions, further compromise of the application or server may be possible.

Mitigation

No official patch has been released for this vulnerability. The project appears to be abandoned, with the last update in 2017 [2]. Users should consider migrating to an alternative solution or, if continued use is necessary, implement a web application firewall (WAF) rule to block malicious id parameter values. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.