Ampache Cross-Site Request Forgery Vulnerability in Private Messaging and Follow Functions

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Ampache versions through 6.6.0. This vulnerability affects the private messaging and follower management features, specifically through the 'pvmsg.php?action=add_message', 'pvmsg.php?action=confirm_delete', and 'ajax.server.php?page=user&action=flip_follow' endpoints. The absence of proper anti-CSRF measures allows malicious users to send or delete private messages and manipulate follow/unfollow actions without the user's consent.

Impact

Exploitation of this vulnerability allows for unauthorized actions on behalf of users, including sending or deleting private messages and managing follow relationships.

Reproduction

To reproduce this vulnerability, send a POST request to the 'pvmsg.php?action=add_message' endpoint without a valid 'form_validation' parameter to bypass the CSRF protection. Similarly, for the 'pvmsg.php?action=confirm_delete' endpoint, remove or empty the 'form_validation' parameter to delete messages without authorization. The 'ajax.server.php?page=user&action=flip_follow' endpoint can be exploited by sending a request to flip follow status without any anti-CSRF token.