CVE-2020-37105 Overview
PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the logid parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.
Critical Impact
Authenticated attackers can execute arbitrary SQL commands against the database, potentially leading to unauthorized data access, data modification, or complete database compromise.
Affected Products
- PMB 5.6
Discovery Timeline
- 2026-02-03 - CVE-2020-37105 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2020-37105
Vulnerability Analysis
This SQL injection vulnerability resides in PMB's administration backup download functionality. The application fails to properly sanitize user-supplied input in the logid parameter before incorporating it into SQL queries. When an authenticated administrator accesses the /admin/sauvegarde/download.php endpoint, the logid parameter value is directly interpolated into database queries without adequate input validation or parameterization.
The vulnerability allows attackers with valid administrative credentials to manipulate the SQL query logic, enabling them to extract sensitive information from the database, modify existing records, or potentially execute administrative database operations depending on the database user privileges.
Root Cause
The root cause of this vulnerability is improper input validation and lack of parameterized queries (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The logid parameter is not sanitized or properly escaped before being used in SQL statements, allowing attackers to inject malicious SQL syntax that alters the intended query behavior.
Attack Vector
The attack is network-based and requires authentication to the PMB administrative interface. An attacker with valid administrative credentials can craft malicious HTTP requests targeting the /admin/sauvegarde/download.php endpoint with specially crafted logid parameter values. These values contain SQL injection payloads that, when processed by the server, execute unintended SQL commands against the underlying database.
The attacker can leverage various SQL injection techniques including UNION-based injection to retrieve data from other tables, blind SQL injection to extract data through conditional responses, or time-based blind injection to infer database contents through response delays.
Detection Methods for CVE-2020-37105
Indicators of Compromise
- Unusual HTTP requests to /admin/sauvegarde/download.php with suspicious logid parameter values containing SQL syntax characters (single quotes, UNION, SELECT, OR, AND)
- Database query logs showing unexpected or malformed queries originating from the backup download functionality
- Anomalous database access patterns or data exfiltration attempts from administrative sessions
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in the logid parameter
- Enable and monitor database query logging for unusual query structures or error messages
- Deploy intrusion detection systems with signatures for common SQL injection payloads targeting the affected endpoint
- Review HTTP access logs for suspicious patterns in requests to /admin/sauvegarde/download.php
Monitoring Recommendations
- Configure alerts for multiple failed SQL queries or database errors from the PMB application
- Monitor for unusual administrative session activity or access to backup download functionality
- Implement database activity monitoring to detect unauthorized data access or extraction attempts
- Track authentication events and correlate with subsequent requests to sensitive administrative endpoints
How to Mitigate CVE-2020-37105
Immediate Actions Required
- Restrict access to the PMB administrative interface to trusted IP addresses only
- Review administrative user accounts and disable any unnecessary or suspicious accounts
- Implement additional authentication controls such as multi-factor authentication for administrative access
- Consider temporarily disabling the backup download functionality until a patch can be applied
Patch Information
Check the PMB Project Files for the latest security updates. Review the VulnCheck PMB SQL Injection Advisory for additional mitigation guidance. Technical details about this vulnerability are also available at Exploit-DB #48356.
Workarounds
- Apply input validation at the web server level using ModSecurity or similar WAF solutions to filter SQL injection patterns in requests to /admin/sauvegarde/download.php
- Restrict network access to the administrative interface using firewall rules or VPN requirements
- Implement database user privilege restrictions to limit the potential impact of SQL injection attacks
- Enable database query auditing and set up real-time alerting for suspicious query patterns
# Example ModSecurity rule to block SQL injection in logid parameter
SecRule ARGS:logid "@detectSQLi" \
"id:100001,\
phase:2,\
deny,\
status:403,\
msg:'SQL Injection attempt detected in logid parameter',\
log,\
auditlog"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
