SQL Injection in search function in ampache/ampache


Reported on

Jan 17th 2023


In the search function

With options recent_played, user input is taken directly into the query without being included in the prepare statement


Proof of Concept

POST /ampache-5.5.6_all_php7.4/public/search.php?type=song HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 182
Origin: http://localhost:8888
Connection: close
Referer: http://localhost:8888/ampache-5.5.6_all_php7.4/public/
Cookie: ampache_user=guest; ampache_lang=en_US; Phpstorm-17c87dff=9619a576-ef80-49a0-9252-c4b775fa56e9; PHPSESSID=5t42n9a1kgatekd8php652hmmb; ampache=7bpnb4re3e8q400l5lkk2v05qm; sidebar_state=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin




The vulnerability allows authenticated users to perform SQL injection. A successful attack may result from the selection of entire tables and, in certain cases, the attacker gaining administrative rights to a database, writing files to the server leading to Remote Code Execute, XXS Stored, or writing a script to extract data.

We are processing your report and will contact the ampache team within 24 hours. 2 months ago
We have contacted a member of the ampache team and are waiting to hear back 2 months ago
ampache/ampache maintainer has acknowledged this report 2 months ago
lachlan validated this vulnerability 2 months ago

the interface checks for ints but that doesn't stop the link itself

d47sec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
lachlan marked this as fixed in 5.5.7,develop with commit c456e6 2 months ago
lachlan has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 10th 2023
lachlan published this vulnerability a month ago
to join this conversation