GNOME Bugzilla – Bug 577270
Cross Site Scripting in the DAAP Extension
Last modified: 2009-05-04 16:22:58 UTC
There seems to be cross-site scripting in the DAAP extension for Banshee.
This is at least in the URL for GET.
GET /apps/web/vs_diag.cgi?server=<script>GEsEDLP8</script> HTTP/1.0
HTTP/1.1 400 BadRequest
<html><head><title>Invalid Request - Banshee DAAP Browser</title></head><body><h1>Invalid Request</h1><p>The request 'apps/web/vs_diag.cgi?server=<script>GEsEDLP8</script>' could not be processed by server.</p><hr /><address>Generated on 3/30/2009 10:02:02 AM by Banshee DAAP Plugin (<a href="http://banshee-project.org">http://banshee-project.org</a>)Connection closed by foreign host.
I've reported this to the RedHat and Novell/SuSE security teams as a security vulnerability. I have not filed a CVE as some developers take issues with that happening too early, but if I do not hear otherwise by the end of the week, I will be reserving a candidate with MITRE.
Thanks for the report, Anthony. That input should indeed be escaped.
Correct me if you think I'm wrong, but I believe that in practice the number of users this will make vulnerable is close to zero: only those who use their web browser to view Banshee's DAAP proxy - an unadvertised feature. Normally it is used only by Banshee/GStreamer, which I don't believe are vulnerable to the XSS by virtue of ignoring it.
Yeah, I agree that the number of users that could be affected is very very low.
There is a situation where it is "exploitable" though.
You can send a user to
I have pushed a fix to both the stable branch (from which 1.4.4 will be released) and master (from which 1.5.0 etc will come).