MAJOR BUG - Subsonic XSS Vulnerbility
Posted: Mon Dec 08, 2014 8:06 pmIn certain situations, album names are not properly html-escaped, which can lead to XSS (Cross-site scripting) attacks.
POC (Proof of concept):
1) Set an abum title to:
the "alert('xss');" code will display a simple alert message, but can be replaced with any javascript code.
2) Visit where this album is displayed in a vulnerable way, such as https://mysubsonicip:4050/home.view?listType=newest
3) The javascript will be executed.
Using this vulnerability it is possible for an attacker that has privileges to edit tags and leave javascript waiting for another user to view the album. When another user views the album, with well-crafted javascript code the attacker can compromise the user's subsonic account, automatically execute any action on the subsonic web interface as if it was the victim users making the actions, or even compromise the victim's computer if another vulnerability exists in their browser.
This vulnerability does not affect the server or subsonic core, but it is feasible that an attacker could execute any action an administrator is capable of, (Including deleting users, changing passwords, deleting media, etc).
Read more about XSS here: http://en.wikipedia.org/wiki/Cross-site_scripting
Mitigating this vulnerability is as simple as replacing " and < with " and <. This will cause this browser to display the actual characters instead of interpreting it as HTML code and executing the javascript.
My subsonic version where this bug was noticed is: "5.0 (build 4100) – September 21, 2014". I am running it on Ubuntu linux, 64 bit.
POC (Proof of concept):
1) Set an abum title to:
- Code: Select all
"><script type="text/javascript">alert('xss');</script>
the "alert('xss');" code will display a simple alert message, but can be replaced with any javascript code.
2) Visit where this album is displayed in a vulnerable way, such as https://mysubsonicip:4050/home.view?listType=newest
3) The javascript will be executed.
Using this vulnerability it is possible for an attacker that has privileges to edit tags and leave javascript waiting for another user to view the album. When another user views the album, with well-crafted javascript code the attacker can compromise the user's subsonic account, automatically execute any action on the subsonic web interface as if it was the victim users making the actions, or even compromise the victim's computer if another vulnerability exists in their browser.
This vulnerability does not affect the server or subsonic core, but it is feasible that an attacker could execute any action an administrator is capable of, (Including deleting users, changing passwords, deleting media, etc).
Read more about XSS here: http://en.wikipedia.org/wiki/Cross-site_scripting
Mitigating this vulnerability is as simple as replacing " and < with " and <. This will cause this browser to display the actual characters instead of interpreting it as HTML code and executing the javascript.
My subsonic version where this bug was noticed is: "5.0 (build 4100) – September 21, 2014". I am running it on Ubuntu linux, 64 bit.
