📄 Description (English)
ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET requests to pdfstream.php, imagestream.php, or anyfilestream.php with crafted SQL payloads in the IMG parameter to extract sensitive database information including version and database names.
🤖 AI Executive Summary
ownDMS 4.7 contains a critical unauthenticated SQL injection vulnerability in file streaming endpoints that allows attackers to extract sensitive database information without authentication. The vulnerability affects pdfstream.php, imagestream.php, and anyfilestream.php through the IMG parameter, enabling complete database enumeration and potential data exfiltration. With no available patch and no exploit currently public, organizations using ownDMS must implement immediate compensating controls to prevent exploitation.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 11:34
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using ownDMS for document management, particularly in government agencies (NCA, Ministry of Interior), healthcare institutions managing patient records, and financial services managing sensitive client data. Banking sector (SAMA-regulated institutions) faces elevated risk if ownDMS is used for document archival. The unauthenticated nature of the attack makes it particularly dangerous for organizations with internet-facing instances. Energy sector (ARAMCO subsidiaries) and telecommunications (STC) using ownDMS for internal document management are also at risk.
🏢 Affected Saudi Sectors
Government (NCA, Ministry of Interior, Ministry of Health)
Banking and Financial Services (SAMA-regulated)
Healthcare (patient records management)
Energy (ARAMCO subsidiaries)
Telecommunications (STC, other operators)
Education (university document management)
Legal Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all instances of ownDMS 4.7 in your environment, particularly internet-facing deployments
2. Implement network-level access controls: restrict access to pdfstream.php, imagestream.php, and anyfilestream.php to authorized users only via WAF rules
3. Disable or remove ownDMS if not actively used
Compensating Controls (until patch available):
4. Deploy Web Application Firewall (WAF) rules to block SQL injection patterns in IMG parameter: block requests containing SQL keywords (UNION, SELECT, INSERT, DROP, etc.)
5. Implement input validation: whitelist allowed IMG parameter values, reject any containing special characters or SQL syntax
6. Enable database query logging and monitor for suspicious SQL patterns
7. Implement rate limiting on affected endpoints to prevent automated exploitation
8. Restrict database user permissions to read-only where possible
Detection Rules:
9. Monitor HTTP logs for GET requests to pdfstream.php, imagestream.php, anyfilestream.php containing: IMG parameter with URL-encoded SQL keywords (%27, %3D, UNION, SELECT, information_schema)
10. Alert on database error messages in application logs containing table/column enumeration attempts
11. Monitor for unusual database connection patterns or queries from web application user
Long-term:
12. Evaluate alternative document management solutions with active security support
13. Plan migration away from ownDMS 4.7
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ ownDMS 4.7 في بيئتك، خاصة التطبيقات المتصلة بالإنترنت
2. تطبيق ضوابط الوصول على مستوى الشبكة: تقييد الوصول إلى pdfstream.php و imagestream.php و anyfilestream.php للمستخدمين المصرح لهم فقط عبر قواعد WAF
3. تعطيل أو إزالة ownDMS إذا لم يكن قيد الاستخدام النشط
الضوابط التعويضية (حتى توفر التصحيح):
4. نشر قواعد جدار حماية تطبيقات الويب لحجب أنماط حقن SQL في معامل IMG: حجب الطلبات التي تحتوي على كلمات SQL (UNION, SELECT, INSERT, DROP، إلخ)
5. تطبيق التحقق من صحة الإدخال: إدراج قيم معامل IMG المسموحة في قائمة بيضاء، رفض أي منها يحتوي على أحرف خاصة أو بناء جملة SQL
6. تفعيل تسجيل استعلامات قاعدة البيانات ومراقبة الأنماط المريبة
7. تطبيق تحديد معدل على نقاط النهاية المتأثرة لمنع الاستغلال الآلي
8. تقييد أذونات مستخدم قاعدة البيانات للقراءة فقط حيث أمكن
قواعد الكشف:
9. مراقبة سجلات HTTP لطلبات GET إلى pdfstream.php و imagestream.php و anyfilestream.php تحتوي على: معامل IMG يحتوي على كلمات SQL المشفرة بـ URL (%27, %3D, UNION, SELECT, information_schema)
10. التنبيه على رسائل خطأ قاعدة البيانات في سجلات التطبيق التي تحتوي على محاولات تعداد الجداول/الأعمدة
11. مراقبة أنماط الاتصال غير العادية بقاعدة البيانات أو الاستعلامات من مستخدم تطبيق الويب
المدى الطويل:
12. تقييم حلول إدارة المستندات البديلة مع دعم أمان نشط
13. التخطيط للهجرة بعيداً عن ownDMS 4.7
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Business Environment
SAMA CSF PR.DS-1 - Data Security Management
SAMA CSF DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 - Supplier security requirements
ISO 27001:2022 A.8.1.1 - Inventory of assets
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 11.3 - Penetration testing
🔗 References & Sources 4
🔗
🔗
🔗
🔗
http://www.owndms.com/
disclosure@vulncheck.com
https://datapacket.dl.sourceforge.net/project/owndms/owndms_47.zip
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46168
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/owndms-sql-injection-via-pdfstream-php-imagestream...
disclosure@vulncheck.com