CVE-2026-30760
Description
An issue in SourceBans Material Admin before v.1.1.6 (3ecd95e) allows attackers to manipulate arbitrary user data in the web app via a crafted XAJAX call.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in SourceBans Material Admin < 1.1.6@a871904 allows authenticated attackers to escalate privileges, take over accounts, and achieve RCE via crafted XAJAX call.
Vulnerability
An SQL injection vulnerability exists in SourceBans Material Admin prior to version 1.1.6@a871904. The flaw resides in the ChangeAdminsInfos XAJAX handler in file includes/sb-callback.php. The vk and skype fields are not properly sanitized: while RemoveCode() applies htmlspecialchars(strip_tags($text)), on PHP <= 8.0 htmlspecialchars does not escape single quotes by default (no ENT_QUOTES flag). This allows an attacker to inject arbitrary SQL into the UPDATE query when setting profile links [2]. Versions 1.1.6 and earlier using PHP <= 8.0 are affected [1][4].
Exploitation
An attacker must have an authenticated account with permission to update their profile contacts (the endpoint is reachable by any logged-in user). By sending a crafted XAJAX call containing a single quote payload in either the vk or skype parameter, the attacker can modify arbitrary columns in the sb_admins table. The endpoint also lacks CSRF protection and does not enforce a specific HTTP method, allowing an attacker to chain a CSRF with the SQLi: a victim administrator who visits a malicious page can trigger the payload via a GET request, carrying the victim's session cookie (bypassing SameSite=Lax) and leading to a one-click account takeover [1][2].
Impact
A successful exploit allows the attacker to escalate their own privileges to the maximum level, change other users' credentials (account takeover), and modify or delete administrator accounts. The attack chain can extend to remote code execution (RCE) on the host, granting full control over all game servers connected to the web admin panel [1][4]. The CVSS v3.1 score is 8.8 (High) with impact on confidentiality, integrity, and availability [2].
Mitigation
The vulnerability is patched in version 1.1.6@a871904 (commit a871904 in the stable-dev branch) [2][3]. Users should update immediately. No workaround is available for unpatched versions. The vendor recommends using PHP 8.0 or above, though the vulnerability itself depends on the specific PHP behavior; the fix addresses the root cause in SQL query construction. The issue was disclosed and fixed in October 2025 [2][3].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.1.6
Patches
11 file changed · +23 −10
includes/sb-callback.php+23 −10 modified@@ -2474,25 +2474,38 @@ function ChangeAdminsInfos($aid, $vk, $skype) { global $userbank; $objResponse = new xajaxResponse(); - $aid = (int)$aid; + $aidSafe = (int)$aid; - if($aid != $userbank->aid && !$userbank->is_logged_in()) - { + if (!$userbank->is_logged_in() || $aidSafe != $userbank->aid) { $objResponse->redirect("index.php?p=login&m=no_access", 0); $log = new CSystemLog("w", "Ошибка доступа", $_SERVER["REMOTE_ADDR"] . " пытался сменить vk или skype, не имея на это прав."); return $objResponse; } - $vk = RemoveCode($vk); - $vk = str_replace(array("http://","https://","/","vk.com"), "", $vk); - $skype = RemoveCode($skype); + $vkSafe = RemoveCode($vk); + $vkSafe = str_replace(array("http://", "https://", "/", "vk.com"), "", $vkSafe); + $skypeSafe = RemoveCode($skype); - $GLOBALS['db']->Execute("UPDATE `".DB_PREFIX."_admins` SET `vk` = '".$vk."', `skype` = '".$skype."' WHERE `aid` = ?", array((int)$aid)); - $admname = $GLOBALS['db']->GetRow("SELECT user FROM `".DB_PREFIX."_admins` WHERE aid = ?", array((int)$aid)); - $objResponse->addScript("ShowBox('Информация', 'Ваши данные были успешно обновлены!', 'green', 'index.php?p=account');"); - $log = new CSystemLog("m", "Данные связи изменены", "У адмнистратора ".$admname['user']." успешно были изменены данные на (vk: ".$vk.", skype: ".$skype.")"); + $GLOBALS['db']->Execute("UPDATE `" . DB_PREFIX . "_admins` SET `vk` = ?, `skype` = ? WHERE `aid` = ?", array($vkSafe, $skypeSafe, $aidSafe)); + + // Adodb bug, with function Affected_Rows =( + //if ($GLOBALS['db']->Affected_Rows() < 1) { + //$objResponse->addScript("ShowBox('Ошибка', 'Не удалось обновить данные!', 'red', 'index.php?p=account');"); + //} else { + $admname = $GLOBALS['db']->GetRow("SELECT user FROM `" . DB_PREFIX . "_admins` WHERE aid = ?", array($aidSafe)); + $admnameSafe = RemoveCode($admname); + + $objResponse->addScript("ShowBox('Информация', 'Ваши данные были успешно обновлены!', 'green', 'index.php?p=account');"); + + $log = new CSystemLog("m", "Данные связи изменены", + "У администратора " . $admnameSafe . + " успешно были изменены данные на (vk: " . $vkSafe . ", skype: " . $skypeSafe . ")" + ); + //} + return $objResponse; } + function ChangePassword($aid, $pass) { global $userbank;
Vulnerability mechanics
Root cause
"SQL injection in the `ChangeAdminsInfos` xajax handler due to unsanitized single quotes in user-supplied VK/Skype fields concatenated into an UPDATE query."
Attack vector
An authenticated attacker sends a crafted xajax call to `ChangeAdminsInfos` with a malicious VK or Skype value containing a single quote to break out of the string literal and inject arbitrary SQL into the UPDATE statement [ref_id=1][ref_id=2]. Because `htmlspecialchars` in PHP <= 8.0 does not escape single quotes by default (no `ENT_QUOTES` flag), the injection succeeds [ref_id=1][ref_id=2]. The endpoint also lacks CSRF protection and accepts GET requests as equivalent to POST, enabling a cross-site request forgery chain: an attacker can craft a single GET URL that, when visited by a logged-in admin, performs the SQLi payload to change credentials and escalate privileges [ref_id=1]. The broken authorization check (`&&` instead of `||`) further allows modifying any admin's record, not just the caller's own [ref_id=1].
Affected code
The vulnerable function is `ChangeAdminsInfos` in `includes/sb-callback.php` [ref_id=1][ref_id=2]. The injection occurs in the `$GLOBALS['db']->Execute(...)` call where `$vk` and `$skype` are concatenated directly into the SQL string after only `htmlspecialchars(strip_tags(...))` sanitization, which does not escape single quotes in PHP <= 8.0 [ref_id=1][ref_id=2].
What the fix does
The patch [patch_id=2974417] converts the vulnerable string concatenation to parameterized queries: `$vk` and `$skype` are now passed as bound parameters (`?`) to `$GLOBALS['db']->Execute(...)` instead of being interpolated directly into the SQL string. This prevents SQL injection by separating query structure from data. The patch also fixes the broken authorization logic by changing `&&` to `||` so that the access check correctly rejects unauthenticated users or users attempting to modify another admin's record [patch_id=2974417].
Preconditions
- authAttacker must be authenticated as any admin (even with minimal privileges) to call ChangeAdminsInfos directly, OR the victim admin must have an active session for the CSRF variant.
- inputThe VK or Skype parameter must contain a single quote to break out of the SQL string literal.
- networkAttacker must be able to send HTTP requests to the SBMA web interface (network access).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.