ClipBucket SQL Injection Vulnerability in ajax.php Endpoint Allows Database Exfiltration

A time-based blind SQL injection vulnerability has been identified in ClipBucket version 5.5.3 and prior, specifically within the actions/ajax.php endpoint. This vulnerability arises from inadequate input sanitization of the userid parameter, allowing authenticated attackers to execute arbitrary SQL queries. Exploitation of this flaw could lead to complete database disclosure and potential takeover of administrative accounts.

Impact

Exploitation of this vulnerability allows authenticated users to extract sensitive information from the database, including administrative credentials, which could further compromise the application and its underlying server environment.

Reproduction

To reproduce this vulnerability, log into the application as a regular user and obtain a valid PHPSESSID cookie. Then, send a POST request to the actions/ajax.php endpoint with the mode set to 'get_subscribers_count' and the userid parameter. The unsanitized userid parameter will be processed by the server, allowing for SQL injection. This vulnerability can be exploited manually or with automated tools like sqlmap, which can extract database information by exploiting the SQL injection.

Remediation

Users can upgrade to ClipBucket version 5.5.3 #80 or later, where this vulnerability has been fixed.