Reflected XSS in Path Traversal detector in azuracast/azuracast

Valid

Reported on

Apr 20th 2023

Description

Azuracast has a feature that block all Path Traversal tentative (good job implementing it). But when azuracast block an attack reflect the path without sanitize the output (PathTraversalDetected.php).

It is possibile to do attack like Reflected XSS or HTML injection.

#Step to reproduce

[1] Prepare the link and send it to the victim (an admin)
[2] If the admin open the link the XSS is fired

Proof of Concept (just navigate the link)

http://<YORSITE>/api/station/1/files/download?file=../a.png%3Cscript%3Ealert(document.cookie)%3C/script%3E

Small note: this attack can be chained to another vulnerability (about an RCE) , in order to gain a One Click Remote code execution (https://huntr.dev/bounties/a4afda09-5f76-4c55-b3c0-9431e9af653b).

I hope i was helpful. XSS - Cookie steal HTML INJECTION

Impact

This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites and allows attacker to use for further exploitation.

We are processing your report and will contact the azuracast team within 24 hours. 8 months ago

Hakiduck modified the report

8 months ago

We have contacted a member of the azuracast team and are waiting to hear back 7 months ago

Buster Neece validated this vulnerability 7 months ago

Valid issue. Thank you for the report! Fixed in the latest Rolling Release.

Hakiduck has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Buster Neece marked this as fixed in 0.18.2 with commit 550208 7 months ago

Buster Neece has been awarded the fix bounty

This vulnerability will not receive a CVE

Buster Neece published this vulnerability 7 months ago

to join this conversation