Vulnerabilities in Ampache (<=3.9.1)
During a Red Team operation, multiple vulnerabilities where discovered in Ampache, an open source web platform for audio/video streaming. CVE codes have been assigned for two of them: CVE-2019-12385 (SQL injection) and CVE-2019-12386 (stored XSS). Ampache SQL injection (CVE-2019-12385) Communication with the database is made via the Dba class (ORM), which relays on PHP PDO to perform queries. Some of them are performed properly using prepared statements, but in other cases the Dba::escape method is used. lib/class/dba.class.php: 134: public static function escape($var) 135: { 136: $dbh = self::dbh(); 137: if (!$dbh) { 138: debug_event('Dba', 'Wrong dbh.', 1); 139: exit; 140: } 141: $var = $dbh->quote($var); 142: // This is slightly less ugly than it was, but still ugly 143: return ...