FireShare FileShare Time-Based Blind SQL Injection Vulnerability in API Sort Parameter

A time-based blind SQL injection vulnerability has been identified in FireShare FileShare version 1.2.25. The issue resides in the sort parameter of the '/api/videos/public' endpoint, where user input is directly inserted into the SQL ORDER BY clause without proper sanitization. This flaw allows attackers to inject arbitrary SQL subqueries. Exploitation of this vulnerability could lead to the extraction of sensitive data, such as usernames and email addresses, and the ability to confirm and impersonate high-privilege users like administrators.

Impact

Exploitation of this vulnerability allows for the extraction of usernames, emails, and potentially password hashes, as well as the enumeration of database tables and columns. Additionally, it enables privilege escalation by impersonating high-privilege users, such as admin accounts.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/api/videos/public' endpoint with a crafted sort parameter that includes a SQL injection payload. The injected SQL subquery should be designed to cause a delay in the response time, indicating that the injection was successful. This can be done by, for example, checking the first character of a username in the database and using a payload that slows down the response if the condition is met.

Remediation

Users are advised to update to FireShare FileShare version 1.2.26, which addresses this vulnerability. The update can be downloaded from the FireShare GitHub releases page.