Bug 577270 – Cross Site Scripting in the DAAP Extension

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 577270 - Cross Site Scripting in the DAAP Extension


Summary:	Cross Site Scripting in the DAAP Extension


Status:	RESOLVED FIXED

Product:	banshee
Classification:	Other
Component:	DAAP
Version:	1.4.2
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	1.x
Assigned To:	Banshee Maintainers
QA Contact:	Banshee Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2009-03-30 08:10 UTC by Anthony de Almeida Lopes
Modified:	2009-05-04 16:22 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Anthony de Almeida Lopes 2009-03-30 08:10:54 UTC

There seems to be cross-site scripting in the DAAP extension for Banshee.
This is at least in the URL for GET. 

GET /apps/web/vs_diag.cgi?server=<script>GEsEDLP8</script> HTTP/1.0

HTTP/1.1 400 BadRequest
Content-Length: 352
Content-Type: text/html
Connection: close

<html><head><title>Invalid Request - Banshee DAAP Browser</title></head><body><h1>Invalid Request</h1><p>The request 'apps/web/vs_diag.cgi?server=<script>GEsEDLP8</script>' could not be processed by server.</p><hr /><address>Generated on 3/30/2009 10:02:02 AM by Banshee DAAP Plugin (<a href="http://banshee-project.org">http://banshee-project.org</a>)Connection closed by foreign host.

Comment 1 Anthony de Almeida Lopes 2009-03-30 08:24:29 UTC

I've reported this to the RedHat and Novell/SuSE security teams as a security vulnerability. I have not filed a CVE as some developers take issues with that happening too early, but if I do not hear otherwise by the end of the week, I will be reserving a candidate with MITRE.

Comment 2 Gabriel Burt 2009-03-30 14:29:41 UTC

Thanks for the report, Anthony.  That input should indeed be escaped.

Correct me if you think I'm wrong, but I believe that in practice the number of users this will make vulnerable is close to zero: only those who use their web browser to view Banshee's DAAP proxy - an unadvertised feature.  Normally it is used only by Banshee/GStreamer, which I don't believe are vulnerable to the XSS by virtue of ignoring it.

Your thoughts?

Comment 3 Anthony de Almeida Lopes 2009-03-30 14:53:51 UTC

Yeah, I agree that the number of users that could be affected is very very low.

There is a situation where it is "exploitable" though.
You can send a user to 
http://localhost:8089/<xss-here/>. Technically, that's "exploiting". However, that requires the attacker to guess who is using the DAAP extension, which is a bit absurd. Anyway, the only value to exploiting it is that if for some reason the web browser trusted localhost in some way or another (e.g. maybe it lets you do special things with JavaScript that would otherwise be denied). I don't think this is the case for most browsers. And then there's always phishing, but I think we agree that's also pretty absurd.

Comment 4 Gabriel Burt 2009-05-04 16:22:58 UTC

I have pushed a fix to both the stable branch (from which 1.4.4 will be released) and master (from which 1.5.0 etc will come).