Emby MediaServer 3.2.5 Reflected XSS Vulnerability

2017-04-30T00:00:00
ID ZSL-2017-5402
Type zeroscience
Reporter Gjoko Krstic
Modified 2017-04-30T00:00:00

Description

Title: Emby MediaServer 3.2.5 Reflected XSS Vulnerability
Advisory ID: ZSL-2017-5402
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 30.04.2017

Summary

Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center.

Description

Emby suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the URL path filename when handling 'not found' errors. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Vendor

Emby LLC - <https://www.emby.media>

Affected Version

3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3

Vendor Status

[22.12.2016] Vulnerability discovered.
[25.04.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.

PoC

emby_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://blogs.securiteam.com/index.php/archives/3098>
[2] <https://cxsecurity.com/issue/WLB-2017040202>
[3] <https://packetstormsecurity.com/files/142356/>

Changelog

[30.04.2017] - Initial release
[02.05.2017] - Added reference [2] and [3]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
Emby MediaServer 3.2.5 Reflected XSS Vulnerability


Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
                  3.1.5
                  3.1.2
                  3.1.1
                  3.1.0
                  3.0.0

Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.

Desc: Emby suffers from a XSS issue due to a failure to properly sanitize user-supplied
input to the URL path filename when handling 'not found' errors. Attackers can exploit
this weakness to execute arbitrary HTML and script code in a user's browser session.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
           Ubuntu Linux 14.04.5
           MacOS Sierra 10.12.3
           SQLite3


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5402
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5402.php

SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098


22.12.2016

--


PoC:

http://TARGET/web/"&gt;&lt;script&gt;alert(251)&lt;/script&gt;