Reflected Cross Site Scripting in ampache/ampache

Valid

Reported on

Dec 30th 2022


Description

User can be input malicious js in param action in url http://localhost//stats.php?action={inject_here}&user_id=1 and send link to other user can be steal cookie of other user. Param action not input validation from user on line 71 in file https://github.com/ampache/ampache/blob/develop/src/Module/Application/ApplicationRunner.php

Proof of Concept

GET //stats.php?action={inject_here}&user_id=1 HTTP/1.1
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ampache=tlj0ei79m4qnjvl87l3gsd373t; ampache_user=admin; ampache_lang=en_US
Connection: close


Impact

This bug is lead to takeover other account

We are processing your report and will contact the ampache team within 24 hours. 4 months ago
We have contacted a member of the ampache team and are waiting to hear back 4 months ago
ampache/ampache maintainer has acknowledged this report 4 months ago
lachlan
4 months ago

Maintainer


That drive link may have expired.

giangdv
4 months ago

Researcher


Hi @lachlan you can copy this link to view Poc: https://drive.google.com/file/d/1Cw3mIdAMX3_0vF8MVa3HOBbv0ZlmYJpJ/view?usp=sharing Thanks!

lachlan gave praise 4 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
lachlan validated this vulnerability 4 months ago
giangdv has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
lachlan
4 months ago

Maintainer


is there a reason why the application runner XSS is working with stats.php and not other pages? seems like that should work with all of them

lachlan
4 months ago

Maintainer


Found it, it's actually a bug in public/templates/show_graphs.inc.php L84

lachlan marked this as fixed in 5.5.7 with commit d31915 4 months ago
lachlan has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 1st 2023
ApplicationRunner.php#L71 has been validated
giangdv
4 months ago

Researcher


Hi @lachlan, I'm sorry about mistaked,
Because param action in line 84 of file ampache/public/templates/show_graphs.inc.php is <input type="hidden" name="action" value="<?php echo filter_input(INPUT_GET, 'action', FILTER_SANITIZE_URL); ?>" /> param action is not validate lead to XSS vulnerable Thanks you!

lachlan published this vulnerability 3 months ago
to join this conversation