← Advisories

Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability

Medium

Advisory ID

ZSL-2017-5400

Release Date

30 April 2017

Vendor

Emby LLC - https://www.emby.media

Affected Version

3.2.5, 3.1.5, 3.1.2, 3.1.1, 3.1.0, 3.0.0

CVE

N/A

Tested On

Microsoft Windows 7 Professional SP1 (EN), Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50, Ubuntu Linux 14.04.5, MacOS Sierra 10.12.3, SQLite3

Summary

Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center.

Description

Emby suffers from a blind SQL injection vulnerability. Input passed via the GET parameter 'MediaTypes' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Proof of Concept

emby_sqli.txtTXT

Disclosure Timeline

22.12.2016Vulnerability discovered.

25.04.2017Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://blogs.securiteam.com/index.php/archives/3098

[2]https://www.exploit-db.com/exploits/41946/

[3]https://cxsecurity.com/issue/WLB-2017040200

[4]https://packetstormsecurity.com/files/142354

[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/125526

Changelog

30.04.2017Initial release

02.05.2017Added reference [2], [3] and [4]

03.05.2017Added reference [5]