jabbera
commented
9 years ago You may not even need a guest account. A Dlna client might be able to do something similar without an account since by default they are auto detected.
Closed altf4 closed 8 years ago
jabbera
commented
9 years ago You may not even need a guest account. A Dlna client might be able to do something similar without an account since by default they are auto detected.
A Cross-site Scripting (XSS) vulnerability in the "Active Devices" panel of the main admin dashboard can be exploited by unprivileged users to hijack admin Emby accounts.
The Emby admin home page (mediabrowser/web/dashboard.html) displays device information about currently connected devices. The Version and Device fields of user connected devices are displayed to admins without sanitization, allowing unprivileged attackers to inject JavaScript into the admin dashboard.
(The same fields trigger XSS on the Devices page as well: mediabrowser/web/devices.html)
In the following setup, there are two users: guest (an unprivileged attacker who is not able to administer the server or even change its own account settings) and an admin account.
To reproduce:
Attacker logs into the Emby server using the guest account, and then sends any request with the following Authorization header:
When an admin logs into the server and views the home page (dashboard), they view the following:
While I only show a simple alert() box in the image above, an attacker can use the JavaScript to perform any actions as the admin, representing a full account hijack. The most likely payload would be to create a new admin account using the compromised one, then simply logging in.
Thanks!