CVE-2020-37105: PMB 5.6 SQL Injection Vulnerability

CVE-2020-37105 Overview

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the logid parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

Critical Impact
Authenticated attackers can execute arbitrary SQL commands against the database, potentially leading to unauthorized data access, data modification, or complete database compromise.

Affected Products

PMB 5.6

Discovery Timeline

2026-02-03 - CVE-2020-37105 published to NVD
2026-02-04 - Last updated in NVD database

Technical Details for CVE-2020-37105

Vulnerability Analysis

This SQL injection vulnerability resides in PMB's administration backup download functionality. The application fails to properly sanitize user-supplied input in the logid parameter before incorporating it into SQL queries. When an authenticated administrator accesses the /admin/sauvegarde/download.php endpoint, the logid parameter value is directly interpolated into database queries without adequate input validation or parameterization.

The vulnerability allows attackers with valid administrative credentials to manipulate the SQL query logic, enabling them to extract sensitive information from the database, modify existing records, or potentially execute administrative database operations depending on the database user privileges.

Root Cause

The root cause of this vulnerability is improper input validation and lack of parameterized queries (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The logid parameter is not sanitized or properly escaped before being used in SQL statements, allowing attackers to inject malicious SQL syntax that alters the intended query behavior.

Attack Vector

The attack is network-based and requires authentication to the PMB administrative interface. An attacker with valid administrative credentials can craft malicious HTTP requests targeting the /admin/sauvegarde/download.php endpoint with specially crafted logid parameter values. These values contain SQL injection payloads that, when processed by the server, execute unintended SQL commands against the underlying database.

The attacker can leverage various SQL injection techniques including UNION-based injection to retrieve data from other tables, blind SQL injection to extract data through conditional responses, or time-based blind injection to infer database contents through response delays.

Detection Methods for CVE-2020-37105

Indicators of Compromise

Unusual HTTP requests to /admin/sauvegarde/download.php with suspicious logid parameter values containing SQL syntax characters (single quotes, UNION, SELECT, OR, AND)
Database query logs showing unexpected or malformed queries originating from the backup download functionality
Anomalous database access patterns or data exfiltration attempts from administrative sessions

Detection Strategies

Implement web application firewall (WAF) rules to detect SQL injection patterns in the logid parameter
Enable and monitor database query logging for unusual query structures or error messages
Deploy intrusion detection systems with signatures for common SQL injection payloads targeting the affected endpoint
Review HTTP access logs for suspicious patterns in requests to /admin/sauvegarde/download.php

Monitoring Recommendations

Configure alerts for multiple failed SQL queries or database errors from the PMB application
Monitor for unusual administrative session activity or access to backup download functionality
Implement database activity monitoring to detect unauthorized data access or extraction attempts
Track authentication events and correlate with subsequent requests to sensitive administrative endpoints

How to Mitigate CVE-2020-37105

Immediate Actions Required

Restrict access to the PMB administrative interface to trusted IP addresses only
Review administrative user accounts and disable any unnecessary or suspicious accounts
Implement additional authentication controls such as multi-factor authentication for administrative access
Consider temporarily disabling the backup download functionality until a patch can be applied

Patch Information

Check the PMB Project Files for the latest security updates. Review the VulnCheck PMB SQL Injection Advisory for additional mitigation guidance. Technical details about this vulnerability are also available at Exploit-DB #48356.

Workarounds

Apply input validation at the web server level using ModSecurity or similar WAF solutions to filter SQL injection patterns in requests to /admin/sauvegarde/download.php
Restrict network access to the administrative interface using firewall rules or VPN requirements
Implement database user privilege restrictions to limit the potential impact of SQL injection attacks
Enable database query auditing and set up real-time alerting for suspicious query patterns

bash

# Example ModSecurity rule to block SQL injection in logid parameter
SecRule ARGS:logid "@detectSQLi" \
    "id:100001,\
    phase:2,\
    deny,\
    status:403,\
    msg:'SQL Injection attempt detected in logid parameter',\
    log,\
    auditlog"