Cross-Site Request Forgery (CSRF) in ampache/ampache


Reported on

Jul 24th 2021

✍️ Description

When you don't set the SameSite attribute of cookies the browsers have special act in front of this issue.(I mean set default value on it) chrome and chromium based browsers set the attribute "Lax" that mean if you do add/delete/alter operation in a get HTTP request then your site more vulnerable with CSRF attacks.

But Firefox ( one of big ones ) don't set this attribute to "Lax" and set it to "none" that makes all POST and GET requests more Vulnerable to CSRF attack.

In you don't set any SameSite attribute for your cookies. In also you set SameSite attribute for all cookies to "Strict" that is good but for main session cookie that name "ampache" you didn't set any SameSite attribute.

Also you set a parameter that named from_validation then I put the of this parameter to nothings like this from_validation=&subject=..... and then I could bypass this protection too.

So in Firefox attacker can send any message to any user With CSRF attack that users already allowed manually do it.

🕵️‍♂️ Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="to&#95;user" value="demo" />
      <input type="hidden" name="subject" value="RE&#58;&#32;aaa" />
      <input type="hidden" name="message" value="fsdafsadfds&#13;&#10;&#13;&#10;&#45;&#45;&#45;&#13;&#10;&gt;&#32;aaaa" />
      <input type="hidden" name="form&#95;validation" value="" />
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable send any message to any user that have high impact on Integrity of user interactions.


You should set SameSite attribute to Lax and don't use Get method for writing, Or use strict if you don't want to share cookies to any third party application.


2 years ago


@admin can you ping me as a maintainer for this report?

2 years ago


Hey lachlan, I've authorised you as the maintainer for this report, meaning you'll have rights for all future reports against ampache. Please let me know if you're still unable to view/interact with this page, thanks!

2 years ago


Hi dear ampache team, if you want more help just tell me

lachlan validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
lachlan marked this as fixed with commit efed4e 2 years ago
lachlan has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation