PT-2026-25865 · Packagist · Admidio/Admidio
Published
2026-03-16
·
Updated
2026-03-16
·
CVE-2026-32813
CVSS v3.1
8.0
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Summary
The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the
adm list columnsAn attacker can inject arbitrary SQL through these stored values to read, modify, or delete any data in the database, potentially achieving full database compromise.
Details
Step 1: Storing the Payload (Safe Write)
In
modules/groups-roles/mylist function.phpusr mem ListConfiguration::addColumn()Entity::save()Key source file references:
lines 89-115D:bugcrowdadmidiorepomodulesgroups-rolesmylist function.php
lines 106-116D:bugcrowdadmidioreposrcRolesEntityListConfiguration.php
Step 2: Triggering the Payload (Unsafe Read)
When the list is viewed (via
lists show.phpListConfiguration::getSql()Injection Point 1 -- lsc special field in SELECT clause:
File
D:bugcrowdadmidioreposrcRolesEntityListConfiguration.phplsc special fieldmem durationmem beginmem enddefault$dbColumnName$sqlColumnName$dbColumnName AS $sqlColumnNameInjection Point 2 -- lsc sort in ORDER BY clause:
File
D:bugcrowdadmidioreposrcRolesEntityListConfiguration.phplsc sortInjection Point 3 -- lsc special field in search conditions:
File
D:bugcrowdadmidioreposrcRolesEntityListConfiguration.phplsc special fieldInjection Point 4 -- lsc filter via ConditionParser:
File
D:bugcrowdadmidioreposrcRolesValueObjectConditionParser.phpRoot Cause
The
addColumn()mylist function.phpusr mem usr id) UNION SELECT ...<select>PoC
Prerequisites: Logged-in user with list edit permission (default: all logged-in users).
Step 1: Save a list config with SQL injection in lsc special field
curl -X POST "https://TARGET/adm program/modules/groups-roles/mylist function.php?mode=save temporary" -H "Cookie: ADMIDIO SESSION ID=<session>" -d "adm csrf token=<csrf token>" -d "column[]=usr login name" -d "column[]=usr id FROM adm users)--" -d "sort[]=" -d "sort[]=" -d "condition[]=" -d "condition[]=" -d "sel roles[]=<valid role uuid>"
The second column value
usr id FROM adm users)--usr getSql()Step 2: Sort-based injection (simpler, no prefix check needed)
curl -X POST "https://TARGET/adm program/modules/groups-roles/mylist function.php?mode=save temporary" -H "Cookie: ADMIDIO SESSION ID=<session>" -d "adm csrf token=<csrf token>" -d "column[]=usr login name" -d "sort[]=ASC,(SELECT+CASE+WHEN+(1=1)+THEN+1+ELSE+1/0+END)" -d "condition[]=" -d "sel roles[]=<valid role uuid>"
This injects into the ORDER BY clause. The sort value has zero server-side validation.
Step 3: The
save temporarylists show.phpListConfiguration::getSql()Impact
- Data Exfiltration: An attacker can extract any data from the database including password hashes, email addresses, personal data of all members, and application configuration.
- Data Modification: With stacked queries (supported by MySQL with PDO), the attacker can modify or delete data.
- Privilege Escalation: Password hashes can be extracted and cracked, or admin accounts can be directly modified.
- Full Database Compromise: The entire database is accessible through this vulnerability.
The attack requires authentication and CSRF token, but:
- Any logged-in user has this permission by default (when
).groups roles edit lists = 1 - The CSRF token is available in the same session.
- The injected payload persists in the database and triggers every time anyone views the list.
Recommended Fix
Fix 1: Allowlist for lsc special field
Add a strict allowlist of valid special field names before calling
addColumn()mylist function.phpgetSql()mylist.phpFix 2: Validate lsc sort values
In
ListConfiguration::addColumn()Fix 3: Defense-in-depth validation in ListConfiguration::getSql()
Also validate the
lsc special fieldgetSql()Fix 4: Escape filter values in ConditionParser
Use parameterized queries or at minimum escape single quotes in
ConditionParser::makeSqlStatement()Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Admidio/Admidio