Attack Chain

1. The attacker identifies a Joomla site using com_hdwplayer version 4.2.
2. The attacker crafts a malicious SQL payload, designed to extract data from the hdwplayer_videos table.
3. The attacker sends an HTTP POST request to search.php.
4. The POST request includes the crafted SQL payload within the hdwplayersearch parameter.
5. The application fails to properly sanitize the hdwplayersearch parameter.
6. The application executes the attacker-controlled SQL query against the database.
7. The database returns sensitive information from the hdwplayer_videos table.
8. The attacker receives the extracted data, such as usernames, passwords, or video metadata.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2020-37218) allows unauthenticated attackers to execute arbitrary SQL queries, potentially leading to the theft of sensitive information, such as usernames, passwords, and video metadata, from the Joomla database. The vulnerability exists in Joomla com_hdwplayer 4.2. While the precise number of affected installations is unknown, any Joomla site using this extension is potentially at risk. This could lead to data breaches, reputational damage, and legal liabilities for the affected organizations.

Recommendation

• Inspect web server logs for POST requests to search.php with suspicious SQL syntax in the hdwplayersearch parameter to detect exploitation attempts (see Sigma rule Detect Joomla com_hdwplayer SQL Injection Attempt).
• Apply available patches or updates for com_hdwplayer to remediate the SQL injection vulnerability described in CVE-2020-37218.
• Implement input validation and sanitization on the hdwplayersearch parameter to prevent SQL injection attacks.
• Deploy the Sigma rule Detect Joomla com_hdwplayer SQL Injection Successful to identify successful exploitation by monitoring for database errors.