Andromeda Streaming MP3 Server v1.9.3.6 (s param) Remote XSS Vulnerability


Vendor: Turnstyle
Product web page: http://www.turnstyle.com
Affected version: 1.9.3.6 PHP (2012)

Summary: Turn your MP3 collection into an MP3 server. Simply add a
single PHP or ASP script to any folder within your site. Now you
can browse and play the contents of that folder - over the Web, or
over your local network.

Desc: Andromeda is prone to a cross-site scripting vulnerability.
This issue is due to a failure in the application to properly
sanitize user-supplied input to the 's' parameter of the 'andromeda.php'
script.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.21
           PHP 5.3.9
           MySQL 5.5.20


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2012-5087
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5087.php


08.05.2012

--

 Dork: "powered by andromeda version"

 PoC: http://localhost/AndromedaPHP/andromeda.php?q=s&s="><script>alert(1);</script>