Subsonic Premium Security Hole

Got an idea? Missing something? Post your feature request here.

Moderator: moderators

Subsonic Premium Security Hole

Postby Kirk » Wed Apr 17, 2013 5:46 pm

I sure hope somebody's caught this... after upgrading to Subsonic 4.8, I have a "Subsonic Premium" link with a little heart icon right below the "Log out" link.

Any user (even non-administrative) can see this link, and click it.
This is problematic because non-administrative users are given the option to change license information, and\or steal the license key from this page easily.
Image
User avatar
Kirk
 
Posts: 310
Joined: Tue Jun 08, 2010 5:45 pm
Location: Illinois, USA

Re: Subsonic Premium Security Hole

Postby regentswift » Wed Apr 17, 2013 7:36 pm

I was just about to post about this. What can be done about this?
User avatar
regentswift
 
Posts: 6
Joined: Tue Feb 19, 2013 10:52 pm

Re: Subsonic Premium Security Hole

Postby regentswift » Wed Apr 17, 2013 7:44 pm

My short term security fix (which isn't the best, but keeps people from messing with it) is this:

In the \subsonic\jetty\3423\webapp\WEB-INF\jsp\premium.jsp file:
Delete lines 28 through 81, from "<c:if test="${command.licenseInfo.licenseValid}">" to the last "</c:if>"

In \subsonic\jetty\3423\webapp\WEB-INF\jsp\top.jsp file:
Delete lines 79 through 92, from "<br>" to "</c:choose>"
User avatar
regentswift
 
Posts: 6
Joined: Tue Feb 19, 2013 10:52 pm

Re: Subsonic Premium Security Hole

Postby sindre_mehus » Tue Apr 23, 2013 9:32 pm

Hi,

I fixed this bug a day or two after releasing 4.8 and put out an updated version. I didn't bother to make it 4.8.1, but if you just download and install 4.8 again you should be fine.

Sorry for the inconvenience,
Sindre
Subsonic developer
User avatar
sindre_mehus
 
Posts: 1955
Joined: Tue Nov 29, 2005 6:19 pm
Location: Oslo, Norway

Re: Subsonic Premium Security Hole

Postby pderwael » Thu Apr 25, 2013 6:45 am

Sindre,

Thank you for this

I will update in a few days, it was just a small detail anyhow!

Keep up the excellent work :D
pderwael
 
Posts: 18
Joined: Wed May 16, 2012 11:30 am

Re: Subsonic Premium Security Hole

Postby tomm1ed » Thu Apr 25, 2013 1:44 pm

sindre_mehus wrote:Hi,

I fixed this bug a day or two after releasing 4.8 and put out an updated version. I didn't bother to make it 4.8.1, but if you just download and install 4.8 again you should be fine.

Sorry for the inconvenience,
Sindre

Hi Sindre,

Could it be that you didn't update the WAR version as well? Just redeployed the latest on my Tomcat server and the 'Subsonic Premium' link is still there. When I click it tells me 'You have a valid Subsonic Premium license'
The WAR file is dated 17-4-2013 22:25
tomm1ed
 
Posts: 10
Joined: Thu Apr 18, 2013 12:49 pm

Re: Subsonic Premium Security Hole

Postby pderwael » Sun Apr 28, 2013 8:13 am

tomm1ed wrote:Hi Sindre,

Could it be that you didn't update the WAR version as well? Just redeployed the latest on my Tomcat server and the 'Subsonic Premium' link is still there. When I click it tells me 'You have a valid Subsonic Premium license'
The WAR file is dated 17-4-2013 22:25


Hi there

Same here, I have just downloaded and installed 4.8 again (WAR D/T: 17/04/2013 22:25)
pderwael
 
Posts: 18
Joined: Wed May 16, 2012 11:30 am

Re: Subsonic Premium Security Hole

Postby kyomi7502 » Mon Apr 29, 2013 10:06 pm

Same issue, but I just downloaded (4/29) and installed the Windows version and everywhere it tells me I've got the Subsonic Premium license.
That link is still up there even after a log off/on, service restart and server restart.
User avatar
kyomi7502
 
Posts: 69
Joined: Mon May 21, 2012 2:13 pm

Re: Subsonic Premium Security Hole

Postby atltrickster » Tue Apr 30, 2013 11:27 pm

I have subsonic deployed on a Tomcat server and will be upgrading shortly. For those of you that upgraded prior to a fix being in place, perhaps cleaning the files located in your work directory would resolve the issue you're experiencing.

Sent from my Nexus 4 using Tapatalk 2
atltrickster
 
Posts: 2
Joined: Wed Mar 20, 2013 12:20 am

Re: Subsonic Premium Security Hole

Postby Kirk » Wed May 01, 2013 3:04 am

sindre_mehus wrote:Hi,

I fixed this bug a day or two after releasing 4.8 and put out an updated version. I didn't bother to make it 4.8.1, but if you just download and install 4.8 again you should be fine.

Sorry for the inconvenience,
Sindre

Thanks for the update, Sindre. I'll go ahead and do this.

pderwael wrote:Keep up the excellent work :D

I'll second that!

Kirk
Image
User avatar
Kirk
 
Posts: 310
Joined: Tue Jun 08, 2010 5:45 pm
Location: Illinois, USA

Re: Subsonic Premium Security Hole

Postby ladfrombrad » Sat Oct 05, 2013 10:09 am

Hi,

I fixed this bug a day or two after releasing 4.8 and put out an updated version. I didn't bother to make it 4.8.1, but if you just download and install 4.8 again you should be fine.

Sorry for the inconvenience,
Sindre


Hi Sindre!

I just installed Subsonic 4.8 on a new Ubuntu install and I'm still seeing the Subsonic Premium link with non-admin accounts after activating my license. Now they can't change it like you can do with a admin account, but they can see my email that I registered with.

Am I missing something here as IIRC that wasn't visible in previous versions, right?
ladfrombrad
 
Posts: 3
Joined: Tue Jul 24, 2012 11:59 am

Re: Subsonic Premium Security Hole

Postby argh1980 » Wed Dec 04, 2013 3:05 pm

HI,

I just added a user for the first time and noticed the account can see the registration email, why?

I just updated to 4.9 beta thinking it may be fixed but it's the same in that version too. This must be a bug when will it be fixed is there a hack to the source code that can remove it?

Can I put a fictional email address in there?
argh1980
 
Posts: 4
Joined: Wed Dec 04, 2013 2:59 pm

Re: Subsonic Premium Security Hole

Postby ladfrombrad » Wed Dec 04, 2013 4:05 pm

This must be a bug when will it be fixed is there a hack to the source code that can remove it?


Yeah, I still get it going from 4.8 to the 4.9 beta and have had to use regentswift's 'fix' from above still.

regentswift wrote:My short term security fix (which isn't the best, but keeps people from messing with it) is this:

In the \subsonic\jetty\3423\webapp\WEB-INF\jsp\premium.jsp file:
Delete lines 28 through 81, from "<c:if test="${command.licenseInfo.licenseValid}">" to the last "</c:if>"

In \subsonic\jetty\3423\webapp\WEB-INF\jsp\top.jsp file:
Delete lines 79 through 92, from "<br>" to "</c:choose>"


edit: Note the \3423\ in the above file structure will be different for each version of Subsonic you have installed.

:|
ladfrombrad
 
Posts: 3
Joined: Tue Jul 24, 2012 11:59 am

Re: Subsonic Premium Security Hole

Postby argh1980 » Wed Dec 04, 2013 4:31 pm

I am on Windows 7 so don't seem to have that directory structure.

Looking through this thread it's been going on since April 17th so I can't see the developers fixing it anytime soon.
argh1980
 
Posts: 4
Joined: Wed Dec 04, 2013 2:59 pm


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 7 guests