CVE-2020-37083

Vulnerability

Overview

PHP AddressBook version 9.0.0.1 of PHP AddressBook, a web-based contact manager, contains a time-based blind SQL injection vulnerability in the photo.php endpoint. The id parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject malicious SQL statements. By using time-delay functions like SLEEP(), the attacker can infer information from the database based on the response time of the server [1][2].

Exploitation

The vulnerability can be exploited remotely without authentication. An attacker sends HTTP GET requests to photo.php with a crafted id parameter containing SQL injection payloads that include time delays. For example, the payload ' AND (SELECT 7812 FROM (SELECT(SLEEP(5)))MkTv) AND 'nRZy'='nRZy causes the server to delay its response by 5 seconds if the injection is successful. This time-based technique allows the attacker to extract data character by character by observing response times [3].

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary data from the database, including sensitive user information such as passwords, email addresses, and other personal data stored in the address book. The CVSS v3 score of 8.2 (High) reflects the low complexity and network-based attack vector with no privileges required [2].

Mitigation

As of the latest available version (9.0.0.1, no official patch has been released. Users are advised to upgrade to a newer version if available, or implement input validation and parameterized queries to mitigate the risk. The vulnerability has been publicly disclosed and an exploit is available, increasing the urgency for remediation [2][3].