Open lur1el opened 10 months ago
@lur1el very nice thorough write up, but maybe you didn't notice this project is dead. Hasn't been updated in over 4 years and no one answers the issues posted. Find a better, more recent CMS project that supports Laravel 10+
I have identified three security vulnerabilities in version 8.0.0. These vulnerabilities include Cross-Site Scripting (XSS), Directory Traversal in the Delete Feature, and Remote Command Execution. All vulnerabilities are exploitable in an authenticated state.
Stored cross-site scripting (also known as second-order or persistent XSS)
Stored Cross-Site Scripting (XSS) is a security vulnerability commonly found in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users. This malicious code is stored on the server, such as in a database, and is then retrieved and displayed to users. Stored XSS attacks can lead to the theft of cookies, session tokens, or other sensitive information belonging to the victim. Unlike reflected XSS, which requires tricking a user into clicking a link, stored XSS does not require any action from the victim.
Steps to Reproduce
Affected Pages
Images
Remediation
Directory traversal on delete feature leading to Denial of Service (Admin level).
Directory traversal in a "delete" feature refers to a vulnerability where an attacker can access and delete files outside the intended directory in a system. By manipulating file paths, attackers can reach critical system files or directories. This can lead to Denial of Service (DoS) if essential files or services are deleted, rendering the application or server inoperative. The impact of such an attack can be severe, including system downtime, loss of data, and potential security breaches. This vulnerability underscores the importance of proper input validation and access controls in web applications.
Steps to Reproduce
Affected Endpoint
Images
Remediation
Remote command execution through file upload
Remote Command Execution (RCE) through file upload is a vulnerability where an attacker uploads a malicious file to a server, which is then executed. This often occurs when an application does not properly validate or restrict file types during the upload process. Successful exploitation allows the attacker to execute arbitrary code on the server, potentially gaining full control. The impact can include data theft, server hijacking, and the spread of malware to other systems. This highlights the critical need for stringent file upload security measures in web applications.
Steps to Reproduce
OBS: This can also be achieved by editing the files at the endpoint -> /admin/themes/edit/2/
Affected Pages
Images
Remediation
All vulnerabilities were found in an authenticated state. Environment: Issues were found, Ubuntu with CoasterCMS 8.0.0 Version.