$_COOKIE[STATIONSID] is not escaped.
Then it’s used inside SQL query:
And because this function is responsible for authentication, we can login as any user.
Proof of Concept:
When we send invalid
sid response look like this:
- 26-01-2017: Discovered
- 26-01-2017: Vendor notified
- 24-02-2017: Photo Station (5.3.4 / 5.2.5) and Music Station (5.0.4 / 4.8.5) has been released