ananich bitstorm announce.php sql injection

Vulnerability

The vulnerability is a SQL injection in the announce.php file of the ananich bitstorm application. The event GET parameter is directly concatenated into an SQL query without sanitization, as shown in the commit diff [1]. The vulnerable code constructs $state = "'" . $_GET['event'] . "'"; and then uses $state in an INSERT ... SELECT query. The patch adds mysql_real_escape_string() to the event parameter and also removes the state column from the query, effectively preventing injection. The affected versions are those prior to commit ea8da92f94cdb78ee7831e1f7af6258473ab396a.

Exploitation

An attacker can exploit this by sending a crafted HTTP GET request to announce.php with a malicious event parameter containing SQL injection payloads. No authentication is required, as the announce.php endpoint is publicly accessible for BitTorrent tracker announce requests. The attacker only needs network access to the vulnerable server. The injection occurs when the event parameter is set; the resulting SQL query is executed against the backend MySQL database.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the database. This could lead to data exfiltration (e.g., reading sensitive peer or torrent information), modification or deletion of database records, and in some configurations, potentially further compromise of the server. The CVSS score of this vulnerability is critical, indicating high impact on confidentiality, integrity, and availability.

Mitigation

The fix was implemented in commit ea8da92f94cdb78ee7831e1f7af6258473ab396a on GitHub [1]. Applying this patch — which uses mysql_real_escape_string() on the event parameter and removes the unsanitized state column from the query — fully resolves the vulnerability. There is no known workaround; users should update their bitstorm installation to the patched version. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.