Reflected Cross Site Scripting in ampache/ampache
Reported on
Dec 30th 2022
Description
User can be input malicious js in param action in url http://localhost//stats.php?action={inject_here}&user_id=1 and send link to other user can be steal cookie of other user. Param action not input validation from user on line 71 in file https://github.com/ampache/ampache/blob/develop/src/Module/Application/ApplicationRunner.php
Proof of Concept
GET //stats.php?action={inject_here}&user_id=1 HTTP/1.1
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ampache=tlj0ei79m4qnjvl87l3gsd373t; ampache_user=admin; ampache_lang=en_US
Connection: close
Impact
This bug is lead to takeover other account
Occurrences
Hi @lachlan you can copy this link to view Poc: https://drive.google.com/file/d/1Cw3mIdAMX3_0vF8MVa3HOBbv0ZlmYJpJ/view?usp=sharing Thanks!
is there a reason why the application runner XSS is working with stats.php and not other pages? seems like that should work with all of them
Found it, it's actually a bug in public/templates/show_graphs.inc.php L84
Hi @lachlan, I'm sorry about mistaked,
Because param action in line 84 of file ampache/public/templates/show_graphs.inc.php
is <input type="hidden" name="action" value="<?php echo filter_input(INPUT_GET, 'action', FILTER_SANITIZE_URL); ?>" />
param action is not validate lead to XSS vulnerable
Thanks you!
