XSS by title

[CRTified]

Hi there,

Even if the attack scenario is somewhat "strange", it would be nice if the information that ympd recieves from the mpd server would get sanitized.

I did not dig into the code at the moment, but I suspect a rudimentary filter, as the following command does not trigger an XSS:

mpc add "http://0/<script>alert(1)</script>"

although adding a file to the library with <script>alert(1)</script> inside a visible tag (e.g. the title) triggers a code execution when browsed to this file inside the database. Also the usual filter preventions work, too, as adding a stream that contains <img src=x onerror=alert(1)> works fine for triggering the alert.

Steps to reproduce:
Add a Stream with a malicious img-tag (it does not need to play, it just needs to be present inside the playlist).

mpc add "http://0/<img src=x onerror=alert(1)>"

Then visit the ympd-interface with your browser.

I must admit that I did not test many ways to gain javascript execution, because even these two ways (local file and stream), especially the stream, may cause enough problems.

In my opinion, the correct way to fix this problem would be to sanitize every string that gets recieved from mpd (and gets printed), especially the "evil HTML characters" should be filtered out (",',<,>,= and so on).
Maybe there is a simple HTML sanitizer library for C out there to solve this problem clean and quick.

If you have any question, I'd be happy to discuss and help, but I must admit that I am not really able to write code in C.

Cheers,
Amarandus