Reflected XSS Vulnerability in demo.browse.php (all version?)

[j3rech0]

File Location: \demos\demo.browse.php Vulnerable Parameter: filename=

Steps to Reproduce:

1. Downloaded the file via github.
2. Browse /demos/demo.browse.php and comment out the code in Line 15 or 16 that says die('For security reasons, this demo has been disabled. It can be enabled by removing line '.__LINE__.' in demos/'.basename(__FILE__));
3. Then browse eg. https://YOUR_LOCAL_DOMAIN/getID3-VERSION/demos/demo.browse.php?filename=%3Cscript%3Ealert(1)%3C/script%3E

Affected version:

Tested in getID3-1.9.8, getID3-1.9.20, getID3-1.9.23, getID3-2.0.0-beta6 probably all?

PoC:

I have PoC on some running websites if you want other proof. Cheers!

[JamesHeinrich]

Please feel free to submit a proposed fix if you have one.

[j3rech0]

@JamesHeinrich

https://github.com/JamesHeinrich/getID3/blob/641549245699b8f0c3c01cb201f39a7f22b49f1b/demos/demo.browse.php#L91

try wrapping with htmlentities

die(htmlentities(getid3_lib::iconv_fallback($FileSystemEncoding, $PageEncoding, $_REQUEST['filename']).' does not exist'));

[JamesHeinrich]

Changed in https://github.com/JamesHeinrich/getID3/commit/a1785afcccb4d32b41f2417c17fcd02bba072dc3