Apollo-CM icon indicating copy to clipboard operation
Apollo-CM copied to clipboard

Published 20 hours ago verified publisher icon adneal

SQLite injection attacks possible

Open DaHoC opened this issue 10 years ago • 1 comments

The app is vulnerable against SQL injection attacks.

  • Steps to reproduce:

    When creating a new playlist and entering the name (e.g. long click on a song > Add to playlist > New playlist) you may enter characters such as ' which is then interpreted in SQLite but should not. You can see the SQLite errors when using USB debug conntected to a pc. Additionally the app crashes.

  • Expected behaviour:

    The string of the playlist name should not be interpreted but rather be part of the name, such that names like "Assassin's Creed" is possible. Furthermore, the app should not crash.

  • Impact:

    Currently the impact is limited on the local SQLite database of the Apollo app. It may be possible to inject URLs for Apollo to load (such as advertisments instead of the album covers) or media streams containing malware, but I do not know enough of Apollo internals to evaluate probable scenarios. In combination with possible other bugs this may even become critical.

  • Screenshot: apollo_sqlite_injection

  • Version:

    Apollo Version 1.1 Cyanogenmod 11-20140609-SNAPSHOT-M7-i9300 Android 4.4.2 german

DaHoC avatar Jul 10 '14 09:07 DaHoC

  • Issue persists after CM update with:

Apollo Version 1.1 Cyanogenmod 11-20140708-SNAPSHOT-M8-i9300 Amdroid 4.4.4 german

DaHoC avatar Jul 16 '14 15:07 DaHoC