3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-9449-rphm-mjqr

GHSA-9449-rphm-mjqr: AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

An API endpoint that is intended for internal use by the SFTP software sftpgo was mistakenly exposed to the public-facing HTTP API for AzuraCast installations.

This would allow a user with specific internal knowledge of a station's operations to craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station.

With a request like:

curl -s -X POST "http://localhost/api/internal/sftp-event"   -H "Content-Type: application/json"   -d '{
    "action": "pre-delete",
    "username": "admin",
    "path": "/var/azuracast/stations/test/media/test.mp3"
}'

A remote user could simulate a request from sftpgo informing the software that a file was about to be deleted from the path given. In anticipation of this, AzuraCast would delete the corresponding database record for that file. While AzuraCast would then later discover on its own that the file actually exists and recreate the media record, it would not have the same playlist associations or custom metadata as the previous instance of the media record in the database.

Some mitigating factors affecting the severity of this issue include:

A user would need to know a valid SFTP username corresponding to the specific station in question.
A user would need to know the internal filesystem structure of a station (or be able to brute-force or guess paths).
Any call to this internal API endpoint does not return any information to the calling process about what files are present or aren't, so no confidential internal information is revealed by this process.

Patched versions of AzuraCast specifically check that any calls to this internal URL are being called by the internal HTTP service, which only listens for activity on localhost and is not accessible from outside the container.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-9449-rphm-mjqr

GHSA-9449-rphm-mjqr:

3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
azuracast/azuracast	composer	<= 0.23.1	0.23.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two internal API endpoints, /api/internal/sftp-event and /api/internal/sftp-auth, being incorrectly exposed to the public internet. These endpoints were intended for communication with an internal SFTP service. The analysis of the patch commit 34620dbad93f6cd8e209a4220e3e53c7c5fea844 reveals that the fix was to introduce and apply a new middleware, App\Middleware\RequireInternalConnection. This middleware restricts access to these endpoints to requests originating from within the application's local container environment.

The routing configuration file backend/config/routes/api_internal.php explicitly maps these endpoints to the App\Controller\Api\Internal\SftpEventAction and App\Controller\Api\Internal\SftpAuthAction controller classes. Since these controllers were invoked without the necessary authorization check prior to the patch, their main handler methods (typically __invoke in this framework) are the vulnerable functions. Exploitation involves sending a crafted HTTP POST request to these endpoints, which would then be processed by these vulnerable functions, leading to unintended actions like the deletion of database records.

Vulnerable functions

App\Controller\Api\Internal\SftpEventAction::__invoke

backend/config/routes/api_internal.php

This controller action handles the `/api/internal/sftp-event` route. Before the patch, this route was not protected by any authentication or network-level access control, allowing it to be called by external users. This could be abused to make the application delete media file records from the database by simulating an event from the internal SFTP service. The patch adds the `RequireInternalConnection` middleware to ensure only internal services can access this endpoint.

App\Controller\Api\Internal\SftpAuthAction::__invoke

backend/config/routes/api_internal.php

This controller action handles the `/api/internal/sftp-auth` route. Similar to the `SftpEventAction`, this endpoint was mistakenly exposed to the public without proper access control. An attacker could potentially abuse this to interfere with SFTP authentication mechanisms. The patch mitigates this by adding the `RequireInternalConnection` middleware, restricting its access to internal services only.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-9449-rphm-mjqr: AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

GHSA-9449-rphm-mjqr:

3.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

3.1

3.1

Technical Details

GHSA-9449-rphm-mjqr: AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI