Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability

Title: Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability
Advisory ID: ZSL-2017-5400
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 30.04.2017
Summary
Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center.
Description
Emby suffers from a blind SQL injection vulnerability. Input passed via the GET parameter 'MediaTypes' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Vendor
Emby LLC - https://www.emby.media
Affected Version
3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vendor Status
[22.12.2016] Vulnerability discovered.
[25.04.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
emby_sqli.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://blogs.securiteam.com/index.php/archives/3098
[2] https://www.exploit-db.com/exploits/41946/
[3] https://cxsecurity.com/issue/WLB-2017040200
[4] https://packetstormsecurity.com/files/142354
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/125526
Changelog
[30.04.2017] - Initial release
[02.05.2017] - Added reference [2], [3] and [4]
[03.05.2017] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk