CVE-2026-27179 Overview
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parameter into multiple SQL queries without sanitization or parameterized queries. The commands module is loadable without authentication via the /objects/?module=commands endpoint, which includes arbitrary modules by name and calls their usual() method. Time-based blind SQL injection is exploitable using UNION SELECT SLEEP() syntax. Because MajorDoMo stores admin passwords as unsalted MD5 hashes in the users table, successful exploitation enables extraction of credentials and subsequent admin panel access.
Critical Impact
Unauthenticated attackers can extract sensitive data including admin credentials from the database, leading to complete compromise of the MajorDoMo home automation system.
Affected Products
- MajorDoMo (Major Domestic Module) - versions with vulnerable commands_search.inc.php
- Installations exposing the /objects/?module=commands endpoint
Discovery Timeline
- 2026-02-18 - CVE CVE-2026-27179 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-27179
Vulnerability Analysis
This vulnerability represents a classic unauthenticated SQL injection flaw (CWE-89) in a home automation platform. The root issue lies in the direct interpolation of user-controlled input into SQL queries without proper sanitization. The commands_search.inc.php file accepts the parent parameter from the URL query string and embeds it directly into database queries, creating an injection point accessible to any network attacker.
What makes this vulnerability particularly dangerous is the complete lack of authentication requirements. The /objects/?module=commands endpoint dynamically loads modules by name and invokes their usual() method, meaning attackers can trigger the vulnerable code path without any credentials.
The time-based blind SQL injection technique using UNION SELECT SLEEP() allows attackers to exfiltrate data character-by-character by measuring response times. Combined with MajorDoMo's storage of admin passwords as unsalted MD5 hashes, attackers can extract these weak password hashes and crack them offline relatively quickly.
Root Cause
The vulnerability stems from insecure coding practices in the commands_search.inc.php file. Instead of using parameterized queries or prepared statements, the code directly concatenates the $_GET['parent'] parameter into SQL query strings. This lack of input validation and improper use of database APIs creates the SQL injection vulnerability. Additionally, the absence of authentication checks on the commands module endpoint exposes this vulnerable code to unauthenticated access.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can craft malicious HTTP requests to the /objects/?module=commands endpoint with a specially crafted parent parameter containing SQL injection payloads. The attack flow typically involves:
- Accessing the unauthenticated commands module endpoint
- Injecting time-based SQL payloads through the parent parameter
- Using UNION SELECT SLEEP() syntax to extract data through timing analysis
- Targeting the users table to retrieve unsalted MD5 password hashes
- Cracking the weak MD5 hashes offline
- Authenticating to the admin panel with compromised credentials
The vulnerability allows for extraction of arbitrary database contents. Technical details and proof-of-concept information are available in the Chocapikk blog post and the VulnCheck advisory.
Detection Methods for CVE-2026-27179
Indicators of Compromise
- HTTP requests to /objects/?module=commands with suspicious parent parameter values
- SQL injection payloads containing UNION, SELECT, SLEEP(), or time-based injection syntax in URL parameters
- Unusual response time patterns indicating time-based blind SQL injection attempts
- Failed or successful authentication attempts following reconnaissance activity against the commands module
Detection Strategies
- Monitor web server access logs for requests to /objects/?module=commands with encoded or malformed parent parameters
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in query strings
- Deploy database activity monitoring to identify unusual query patterns or timing anomalies
- Analyze network traffic for repeated requests with varying SLEEP() durations characteristic of blind SQL injection
Monitoring Recommendations
- Enable detailed logging for all requests to the MajorDoMo /objects/ endpoint
- Set up alerts for SQL syntax keywords appearing in URL parameters
- Monitor database query execution times for anomalous patterns
- Track authentication events following any suspicious activity against the commands module
How to Mitigate CVE-2026-27179
Immediate Actions Required
- Restrict network access to MajorDoMo installations to trusted networks only
- Implement authentication requirements for all module endpoints
- Deploy a Web Application Firewall with SQL injection detection rules
- Review access logs for signs of prior exploitation
Patch Information
A fix has been submitted via GitHub Pull Request #1177. Users should apply this patch or update to a version containing the fix once released. The patch should implement parameterized queries to properly sanitize user input before database operations.
Workarounds
- Block external access to MajorDoMo or place it behind a VPN
- Use .htaccess or web server configuration to restrict access to the /objects/ endpoint
- Implement network-level access controls to limit who can reach the MajorDoMo interface
- Consider migrating admin accounts to use stronger password hashing algorithms
# Example: Restrict access to MajorDoMo via Apache .htaccess
<Location /objects/>
Require ip 192.168.1.0/24
Require ip 127.0.0.1
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
