Good day! In this article I will show you how I found a simple issue on chapterdb.plex.tv (Plex TV) that allow me to get their Contributors and 3rd party contributors email address and local path of the movies they contributed thru their feature that any user can download the XML file from the Contributors profile.
So I was having a good time hunting on this program since the last few weeks and I found some issues which is mostly a Business Logic issues that earned me a couple bucks.
So long story short, here's my report timeline and proof of concept of this issue.
--Proof of Concept--
1. Go to http://chapterdb.plex.tv
2. Go to http://chapterdb.plex.tv/contributors
3. Select any contributors from the page. in my demo I will use this one (http://chapterdb.plex.tv/browse?createdBy=<REDACTED>)
4. Select any movie from dongafford's page. in my demo I will use this one (http://chapterdb.plex.tv/browse/<REDACTED>)
5. In the upper right corner you will see a Download button, hover your mouse cursor into the button and click the XML (I prefer the XML download so that you can easily check the datas)
6. Download the XML file
7. Open the XML file and see the result
Result (Demo PoC):
<?xml version="1.0"?>-<chapterInfo xml:lang="eng" xmlns="http://jvance.com/2008/ChapterGrabber" confirmations="11" client="ChapterGrabber 4.4" extractor="ChapterGrabber 4.4" version="2"><title>Tommy Boy</title>
-<ref><chapterSetId><REDACTED></chapterSetId></ref>-<source><name>D:\BDMV\PLAYLIST\00001.mpls</name> <---- PATH LEAKAGE<type>Blu-Ray</type><hash>a50136227ca54eed0b46fff609511448</hash><fps>23.976023976023978</fps><duration>01:37:03.8180000</duration></source>-<chapters><chapter name="School Daze" time="00:00:00"/><chapter name="Sandusky, Ohio" time="00:05:28.7450666"/><chapter name="A Perfect 10" time="00:13:02.5317333"/><chapter name="Cow Tipping" time="00:15:25.8415777"/><chapter name="Wonder Boy" time="00:18:21.8507333"/><chapter name="The Luckiest Man in the World" time="00:21:12.5629555"/><chapter name="Playing with Your Dinghy" time="00:27:35.4037333"/><chapter name="The Future of Callahan" time="00:30:30.2867777"/><chapter name="On the Road" time="00:33:04.4407777"/><chapter name="Whadya Do?" time="00:36:42.6170666"/><chapter name="Bad Mommy" time="00:39:11.1404444"/><chapter name="Road Kill" time="00:41:26.6091111"/><chapter name="Fat Guy in a Little Coat" time="00:46:19.1930666"/><chapter name="Oh, Baby" time="00:49:16.4952000"/><chapter name="A Pretty New Pet" time="00:52:27.7279111"/><chapter name="Guarantee" time="00:55:45.3836888"/><chapter name="Spanky" time="00:59:10.9640666"/><chapter name="On the Road to Success" time="01:02:14.6475777"/><chapter name="Heading Home" time="01:06:30.6950222"/><chapter name="Killer Bees" time="01:10:25.4712444"/><chapter name="Fly Boys" time="01:12:45.9866222"/><chapter name="Zalinsky Auto Parts" time="01:17:36.6102888"/><chapter name="I've Got a Plan" time="01:23:54.1541111"/><chapter name="The New President" time="01:30:16.9114888"/></chapters><createdBy>d[REDACTED][email protected]</createdBy> <--- Contributor's Email Address<createdDate>2011-01-29T11:09:50.35-05:00</createdDate><updatedBy>a[REDACTED][email protected]</updatedBy> <--- 3rd Party Contributor's Email Address<updatedDate>2017-12-05T01:11:36.2260171-07:00</updatedDate></chapterInfo>
--Report Timeline--
Report Title: Vulnerability Issue (Business Logic Issue - Information Disclosure of Contributors in http://chapterdb.plex.tv)
Reported: Wed, Jul 3, 2019, 5:05 PM
First Response: Mon, Jul 8, 11:53 PM
Hi Evan,Fixed: Fri, Jul 12, 9:18 AM
We are still looking into this issue.
Regards,The Plex Security Team
Hello,Final Decision: Not qualified for a bounty since as what they have said on their last email, they didn't own the code for ChapterDB and they reached out the owner and says that "He's not even actively maintaining the code anymore (which is why it's a read-only archive). As he is no longer involved or maintaining the project anymore."
We believe the issue is fixed, but since we don't maintain the code for this project ourselves, we're reaching out to the original developer to make sure. It seems to be fixed on most, but not all movies.
Regards,
The Plex Security Team
Public Disclosure Request: Tue, Jul 23, 10:05 AM
Fixed
I hope you enjoy this write up. have a great day!
“There are no shortcuts to any place worth going.”
Beverly Sills
No comments:
Post a Comment