Ampache 3.7.0, Reflected XSS
The default installation of Ampache includes a script in the web root named ‘show_get.php’, which when provided with two QSA’s can be made to output unsanitized content. This could be used to inject arbitrary content under the context of the user visiting the page, and could also be leveraged to perform actions within Ampache – if the user is currently logged in.
Homepage
https://github.com/ampache/ampache
CVSS Score
5
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update project from GIT repository at https://github.com/ampache/ampache/. 3.8 will not be ready for release in the near future, so this will have to suffice.
Proof of Concept
Visiting the following URL results in an alert being fired
localhost/show_get.php?param_name=xss&xss=<script>alert(".")</script>Timeline
- 2014-10-24: Discovered
- 2014-10-24: Vendor notified
- 2014-10-24: Response from vendor requesting more information
- 2014-10-27: Report URL sent to vendor
- 2014-10-27: Vendor responded with fix in GIT repo (https://github.com/ampache/ampache/commit/5dde2659f94daee3f3a18effb464707f6b4e1b3b)
- 2014-11-03: CVE requested
- 2014-11-05: CVE assigned
- 2014-11-05: Advisory released