CVE-2009-4735 in Audioinfo

Summary

by MITRE

SQL injection vulnerability in login.php in Allomani Audio & Video Library (Songs & Clips version) 2.7.0 allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/02/2026

The vulnerability identified as CVE-2009-4735 represents a critical sql injection flaw in the Allomani Audio & Video Library software version 2.7.0, specifically within the login.php script. This weakness stems from inadequate input validation and sanitization mechanisms that fail to properly filter user-supplied data before incorporating it into database queries. The vulnerability manifests when the application processes the username parameter during login operations, creating an exploitable condition where malicious actors can manipulate the authentication flow through carefully crafted sql commands.

The technical implementation of this vulnerability aligns with CWE-89, which categorizes sql injection as a direct result of insufficient input validation and improper query construction. Attackers can exploit this flaw by submitting malicious sql payloads through the username parameter, potentially bypassing authentication mechanisms entirely. The vulnerability's remote exploitability means that attackers do not require local system access or physical presence to leverage the flaw, making it particularly dangerous in networked environments. The attack surface expands significantly when considering that the vulnerability affects the core authentication functionality, potentially allowing unauthorized access to sensitive user data and system resources.

The operational impact of this vulnerability extends beyond simple unauthorized access, as successful exploitation could enable attackers to extract database contents, modify user credentials, or even escalate privileges within the affected system. The Allomani Audio & Video Library application likely stores user account information, media metadata, and potentially sensitive configuration data within its database, making these targets of interest for malicious actors. From an attack perspective, this vulnerability maps to ATT&CK technique T1190, which describes the exploitation of vulnerabilities in remote services to gain unauthorized access. The implications are particularly severe given that the vulnerability affects a media library system that may store user-generated content and personal information, potentially exposing users to privacy violations and data breaches.

Mitigation strategies for this vulnerability require immediate remediation through input sanitization and parameterized query implementation. System administrators should prioritize updating to patched versions of the Allomani Audio & Video Library software, as the vendor would have likely addressed this issue in subsequent releases. The implementation of proper input validation mechanisms, including whitelisting username formats and employing prepared statements for all database interactions, would effectively neutralize this vulnerability. Additionally, network segmentation and access controls should be implemented to limit exposure of the vulnerable application to untrusted networks. Security monitoring should include detection of suspicious login attempts and unusual database query patterns that may indicate exploitation attempts. Organizations should also conduct comprehensive vulnerability assessments to identify similar sql injection vulnerabilities within their broader application portfolio, as this represents a common weakness that frequently appears in legacy web applications.

Reservation

03/18/2010

Disclosure

03/18/2010

Moderation

accepted

Entry

VDB-52243

CPE

ready

Exploit

Download

EPSS

0.00999

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!